VincentLanglet
commented
2 years ago I'm closing this since the package is deprecated/abandoned.
Closed ferdinandog closed 2 years ago
VincentLanglet
commented
2 years ago I'm closing this since the package is deprecated/abandoned.
sonata-project/google-authenticator Version 2.2.0 sonata-project/admin-bundle version: 3.67.0 Symfony version: 4.4.8
Description Bypass 2fa by rememberme cookie
To Reproduce When enabled in security firewall, using the remember_me (checkbox) in the login form, on submit symfony creates a cookie "REMEMBERME". That moment we get redirected to the 2fa-auth page. We have no access to the other pages. At that moment, if we remove our SESSIONID key with the browsers cookie inspector/tool, we can go to our homepage "/admin/dashboard" and be IS_AUTHENTICED_REMEMBERED. Effectively being logged in without 2fa, bypassing the check.
If this is known, I have not found it documented.