The user is able to bypass the TOTP page just by refreshing the page.
Issue:
The variable 'lastverified' is intended to track the time when the user last successfully verified the TOTP code. However, in the current code, 'lastverified' is set as soon as the user lands on the authentication page, which appears to be incorrect. 'lastverified' should only be set when the TOTP is successfully matched and verified. As a workaround, I have moved the code to set 'lastverified' within the authenticate.php file, under the section where the TOTP code is matched.
if ($code === $_REQUEST['code']) {
$now = time();
**$session->setData(
'\SimpleSAML\Module\simpletotp',
'lastverified',
$now,
Session::DATA_TIMEOUT_SESSION_END
);**
ProcessingChain::resumeProcessing($state);
} else {
$displayed_error = "You have entered the incorrect TOTP token.";
}
This needs to be fixed asap.
The user is able to bypass the TOTP page just by refreshing the page.
Issue:
The variable 'lastverified' is intended to track the time when the user last successfully verified the TOTP code. However, in the current code, 'lastverified' is set as soon as the user lands on the authentication page, which appears to be incorrect. 'lastverified' should only be set when the TOTP is successfully matched and verified. As a workaround, I have moved the code to set 'lastverified' within the authenticate.php file, under the section where the TOTP code is matched.
This needs to be fixed asap.