XenForo
Administrative
- Thread starter
- Admin
- #1
I've noticed that the two-factor implementation doesn't logout.
I believe that this could be considered a security flaw in the implantation as after logout out the browser is still validated. If I had to login in someone's else computer, logout won't remove the two-factor access and it will login right away without asking the otp.
When you put a valid two factor code the browser keeps validated for an entire month and it requires to stop trusting the device, I believe that there should be...
Read more
ادامه مطلب...
I believe that this could be considered a security flaw in the implantation as after logout out the browser is still validated. If I had to login in someone's else computer, logout won't remove the two-factor access and it will login right away without asking the otp.
When you put a valid two factor code the browser keeps validated for an entire month and it requires to stop trusting the device, I believe that there should be...
Read more
ادامه مطلب...