search

davidearl / webauthn

An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)
https://webauthn.davidearl.uk
MIT License
132 stars 24 forks source link

Timeout not implemented? #45

Closed Skittel closed 1 year ago

Skittel commented 4 years ago

Hello,

Thanks for this great software!

I'm current reducing the html & js part to a minimum.

My php-skript creates a html output with the challenge allready in a variable. The js-part only creates the response and calls itself with the response as a get-parameter.

This works fines. https://rdpdev.secureaccess.pro/testwa/example/4login.php

But I realized that there is no timeout. I can refresh the page with the get-parameter and after 5 minutes $webauthn->authenticate return "OK".

I see the timeout fields during creation, but they are not checked.

This does not happen in your JS-version and POST. But this error should be there even if it is harder to show.

Stefan

davidearl commented 4 years ago

Thanks for this. Do you think it is the same issue as #40?

Skittel commented 4 years ago

Hello David, Yes, this is correct. I continue there. Stefan