[H-17] 2FA enable/disable don't rotate the session

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Controllers/TwoFactorController.php:74-92, 112-120

Bug: Pre-2FA session ID remains valid after enabling or disabling 2FA.

Fix: Call $this->rotateSessionRecord($userId) after both operations.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:39pm

Resolved.

Both TwoFactorController::enable and TwoFactorController::disable now call rotateSessionRecord($userId) + rotateCsrfToken() after toggling users.totp_secret (src/Controllers/TwoFactorController.php).

  • Enable path: pre-2FA session identifier is discarded so an attacker who captured the cookie pre-setup can't ride the now-elevated account.
  • Disable path: session rotated so any cookie that was captured while 2FA was active can't replay against the weakened account. Also clears totp_last_step for cleanliness.

Locking this thread.

Related Discussions

[L-9] handleVerifyEmail doesn't regenerate session
Security Issues · 0 replies · 0 views
[L-8] checkUsername session-based limit near-useless without cookies
Security Issues · 0 replies · 0 views
[L-6] Session-fallback rate-limit keys grow unbounded
Security Issues · 0 replies · 0 views
[L-5] MaintenanceMiddleware bypass uses unvalidated $_SESSION['user_id']
Security Issues · 0 replies · 1 views
[M-19] rotateSessionRecord default TTL differs from AuthMiddleware
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy