Loading
Current section: Two-Factor Authentication Check 6 exercises
Problem

Session Expiry Issue During 2FA Disablement Flow

Loading exercise

Transcript

00:00 This re-verification stuff actually has caused a little bit of a problem for us. So if I go to Cody, and Cody loves you, and I'm going to say, remember me, this is the key point here. And then we're going to get our two-factor auth code right here, and submit that. Okay, so I've got my session right here.

00:19 It expires in 30 days or whatever. And so then I go over to my profile, and let's say that I want to disable two-factor auth. And I've already set up our two hours to be five seconds for this re-verification time. But I say disable two of a,

00:38 and right here, my session expires at this time. So that's fine. But when I set my code, watch this. Oh no, my session now expires with the session. What just happened? Well, the problem is that we are calling commit session

00:57 as part of this process. And when we commit the session, and we're doing that right, let's see, right here. We're saying commit session. And unfortunately, when you do commit session, because our session storage is configured

01:14 in the way that it is to not have a expires, it's not going to set a expires or max age. And so the default will happen, which is to expire at the end of the session. So you have to set an expires. The problem is that during the re-verification process,

01:32 we actually don't have the user's decision on whether they want to remember the session or not, right? Because we do have the session expiration date, that's saved in the database. We have access to that session, that's fine. But right here, we're conditionally setting

01:49 whether or not we want this cookie to be expires based on their remember preference. But in this flow right here, if I say disable 2FA, there's no remember preference. That's not a thing. There's no way for me to say, hey, I want you to remember me again or anything like that. That wouldn't even make sense.

02:08 And so we need to somehow store this expires value in the cookie so that whenever we say commit session, it will remember when was this supposed to expire. I will commit it with that expiration date. This is a bit of an edge case problem and a bit of an annoyance. I wish that we could just say commit session

02:29 and remember the expiration date for when it was. And so we're actually gonna kind of build that. So we're not gonna have to change any of this code here, but we're gonna preserve the expiration date. And we're gonna do that by actually overriding the commit session method. It's gonna, yeah, there's a little bit of JavaScript magic that's gonna happen in this step of the exercise,

02:49 but it's gonna solve this problem and you're gonna love doing it. So get right to it. Have a good time.