-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MFA code request is blocking website #3029
Comments
At a first glance, this behavior seems correct to me. You're getting past the first authorization step (password) but not completing the second step (code). Therefore when you try to access the CP or content, you're being presented with the dialog. When you reload the MFA dialog page, you're getting logged out - this is expected behavior as the authorization was not completed |
Well, not exactly. When it's the first way to reproduce this behavior (log in and come back later), there are no password requests, just a blocked page. And website pages are supposed to be accessible by anyone, regardless of authorization. It's just wrong to block them. Maybe, MFA request should pop up in a modal with a close button? |
This behavior is correct:
So the page IS accessible - but the user needs to be in either Logged In (both authorization steps complete) or Logged Out state (if you reload the MFA dialog without entering the code, the user gets logged out) |
I have to disagree :) A public website page does not require any user to be logged in, so the user doesn't need to be logged in or logged out to see it. When he logged out, he shouldn't be able to access profile, cp or front end editing tools, but page content should be always accessible. And, btw, if one checked the "remember me" checkbox, why EE still asks him for MFA? |
Maybe there is some misunderstanding here. How to reproduce:
|
Do you have other tabs with CP opened at this time? Or just the frontend pages? |
No, no EE pages at all.
That's all. Checked several times on a local test EE installation just to be sure :) |
Hi, I'd like to add my $0.02. ($0.04)
So overall, I think that this is a bad idea on public pages, and, in order of preference, I suggest:
|
Linking in this discussion as well, per remember me functionality #3169 |
Thinking about it more, I do agree that MFA should not be required when you re-confirm login with password And it definitely should not show up when "remember me" is checked I'm adding the above PR as a way to cancel the dialog, however there's more work required |
pulling @matthewjohns0n into conversation for reference as well. |
EE 7.2.9
With MFA enabled, a user can face this instead of page content:
But after reloading this request is gone.
How to reproduce:
Log in to your CP (tick the "Keep me logged in" checkbox). Close the tab, but not the browser. After an hour open any page of your website and see the MFA request instead of the content.
Log in to your CP (keep the "Keep me logged in" checkbox unchecked). Open any page. Do not close it. After an hour you will see the password request in a modal. Log in using this modal, and you will see the MFA request in the same modal. Open a page in a new tab - you will see the blocked website.
The text was updated successfully, but these errors were encountered: