(edge case) Multiple logins issue

ryanjohns / passmaster

Host-Proof password storage using client-side AES-256 encryption.

https://passmaster.io

GNU General Public License v3.0

10 stars 4 forks source link

(edge case) Multiple logins issue #5

Closed etipton closed 9 years ago

etipton commented 9 years ago

@ryanjohns just documenting this one in case you have any suggestions for the best fix --

MFA doesn't work if you have multiple logins and you try using the same browser for all of them... I think because of the way the code sets one permanent _client_id session cookie (maybe?)

I forked the repo and maybe one day I can dig in to try and fix :)

Meanwhile if you have any insight let me know.

ryanjohns commented 9 years ago

Yeah, that sounds like the cause. I'll take a look soon as I can't remember all the flows off the top of my head. Thanks!

etipton commented 9 years ago

To recreate the underlying issue:

Clear all cookies for 127.0.0.1 (or whatever development domain used)
Create a new user and enable MFA.
Click the logout button.
Try to repeat number 2 with a second new user - enabling MFA will fail when attempting to enter the code.

ryanjohns commented 9 years ago

Thanks for tracking this down! It has been fixed via b59a87c33dda3d4bb500804d26b0df0aa2e57678.

etipton commented 9 years ago

Awesome! Thanks so much.

etipton commented 9 years ago

Just tested in production -- working perfectly for me.

ryanjohns commented 9 years ago

Excellent!