Closed jwag956 closed 1 year ago
The new-ish tf_validity cookie, which is set upon successful two-factor authentication - isn't deleted on an explicit logout - which both the session and remember cookie are. This seems like a security concern.
@baurt - any comments?
Ok - never mind - I re-read OWASP and it does imply this should outlast a logout....
The new-ish tf_validity cookie, which is set upon successful two-factor authentication - isn't deleted on an explicit logout - which both the session and remember cookie are. This seems like a security concern.
@baurt - any comments?