user.is_verified() returns False with subdomains

[adnanrafique]

I am using django-two-factor-auth in my Django application, Everything works fine in the local environment.

My application is tenant-based and I am using subdomains for each tenant, for example,

my application => xyz.com

user with tenant name "a" after login gets redirected to => a.xyz.com user with tenant name "b" after login gets redirected to => b.xyz.com

When redirected to a subdomain I am getting this issue that user.is_verified() always returns False even if 2fa is enabled for user.

If I remove the subdomain redirection, it works fine and returns True if 2fa is enabled for a user.

Expected Behavior

It should return True for the users who have enabled 2fa.

Current Behavior

It always returns False even for the users who have enabled 2fa.

Your Environment

• Browser and version: Google Chrome Version 103.0.5060.114
• Python version: 3.8.10
• Django version: 2.2.0
• django-otp version: 0.9.4
• django-two-factor-auth version: 1.12.1
• Link to your project: under-controls.com

[moggers87]

What's SESSION_COOKIE_DOMAIN set to? IIRC, Django's session cookies have HostOnly set on them so you'll need to make sure SESSION_COOKIE_DOMAIN has a value like .xyz.com (note the . at the start of the string) to make the session cookie work with the subdomains.