Frequently logged out when using 2FA

[KarlBishop]

I'm frequently asked to re-enter my password when using 2FA, even when I check "Keep me signed in for 2 weeks". It happens about every 25 minutes.

Re-entering my password seems to work but actually fails - I cannot continue editing and am booted back to the login screen when I click any link.

At the login screen, after entering my password and 2FA code I can sometimes continue... BUT sometimes the 2FA code is rejected and I have to manually go to "/admin/logout" before I can proceed through login.

I read issue #42 - not sure if a similar situation applies in my case but here are some of my settings that appeared to be relevant there:

# General config
'defaultTokenDuration' => 86400, // 1 day (default)
'purgePendingUsersDuration' => 0, // disabled (default)
'verificationCodeDuration' => 'P5D', // 5 days
'rememberedUserSessionDuration' => 1209600, // 14 days (default)
'userSessionDuration' => 3600, // 1 hour (default)

# PHP
session.save_handler = user
session.cookie_lifetime = 1800
session.cookie_secure = 1

I was wondering if my db got screwed up somehow (e.g. tables missing after uninstall/reinstall).
I can see two tables that obviously belong to the plugin:

• twofactorauthentication_user
• twofactorauthentication_usertoken

Any idea what could be causing my issue?
I realise the plugin is no longer maintained, so any help would be much appreciated.

Craft Pro 4.10.4
PHP 8.1.28
MariaDB 10.11.5
Two-Factor Authentication 3.4.0

[roelvanhintum]

Hi @KarlBishop, thanks for the issue and explanation. The session.cookie_lifetime setting is 30min which could be the problem. Could you also check session.gc_maxlifetime to be sure? In case none of this works, you could also check #63

[KarlBishop]

Aha, very interesting.

session.gc_maxlifetime is also set to 1800

And we are also using Servd, like the OP of #63

I read Servd's blog post about fixing the previous issue - it sounds like we shouldn't have the same thing happening because we're running with the latest version of the Servd plugin. But it does seem very similar. I'll ask Servd if they can take a look.

[jeffreyzant]

I was experiencing the same issues as described here and on the Servd's blogpost. We are running our installation in a multinode K8s environment and configured the php.ini session.save_handler to memcached. This worked fine for all Craft installs except for the sites with the 2FA auth enabled. We now configured Craft/Yii to use the dedicated memcached driver and combining that with the yii\web\CacheSession instead of the 'FileDriver' that uses the the save_path.

It would be nice if Craft or Yii would have just swaped the adapter when the session.save_handler is set to memcached, but i'm not going to fight that battle :). I'll just drop my solution here and hope this will save someone's day (or week).

Also a shoutout to the guys at servd that decided to create the blogpost.

'components' => [
    'sessionCache' => [
        'class' => yii\caching\MemCache::class,
        'useMemcached' => true,
        'servers' => [
            'host' => HOST,
            'port' => PORT,
            'weight' => 100,
        ],
    ],

    'session' => function() {
        $config = craft\helpers\App::sessionConfig();
        $config['class'] = yii\web\CacheSession::class;
        $config['cache'] = 'sessionCache';

        return Craft::createObject($config);
    },
]

[WHITE-developer]

We are also experiencing frequently asked to re-enter our password when using Two-Factor Authentication (2FA), even after selecting "Keep me signed in for X weeks."

Steps to Reproduce:

1. Log in with 2FA and check the option "Keep me signed in for X weeks."
2. Use the application as normal.
3. Observe that after approximately 25 minutes, the system requests a re-login.

Expected Behavior:

• The session should remain active without requiring a re-login for the duration specified (X weeks).

Actual Behavior:

• The session times out and prompts for re-authentication approximately every 25 minutes, regardless of the "Keep me signed in" option.

We don't use Servd.

Craft Pro 4.5.11.1
PHP 8.2.7
MySQL 8.0.39
Two-Factor Authentication 3.3.7

[joeservd]

Hey folks, Joe from Servd. If you're looking to increase the session.cookie_lifetime and session.gc_maxlifetime settings, have a read of this doc page https://servd.host/docs/my-sessions-are-expiring-too-soon Our default is 1800, but you can increase it by setting a PHP_SESSION_LENGTH environment variable.