diff --git a/modules/material/themes/material/mfa/prompt-for-mfa-backupcode.twig b/modules/material/themes/material/mfa/prompt-for-mfa-backupcode.twig
index fcbf1697..e16ef2d6 100644
--- a/modules/material/themes/material/mfa/prompt-for-mfa-backupcode.twig
+++ b/modules/material/themes/material/mfa/prompt-for-mfa-backupcode.twig
@@ -78,7 +78,7 @@
{{ '{mfa:remember_this}'|trans }}
-
+
diff --git a/modules/material/themes/material/mfa/prompt-for-mfa-manager.twig b/modules/material/themes/material/mfa/prompt-for-mfa-manager.twig
index ec6d08b7..74db6ec0 100644
--- a/modules/material/themes/material/mfa/prompt-for-mfa-manager.twig
+++ b/modules/material/themes/material/mfa/prompt-for-mfa-manager.twig
@@ -78,7 +78,7 @@
{{ '{mfa:remember_this}'|trans }}
-
+
diff --git a/modules/material/themes/material/mfa/prompt-for-mfa-totp.twig b/modules/material/themes/material/mfa/prompt-for-mfa-totp.twig
index c159c9d9..41bf21cc 100644
--- a/modules/material/themes/material/mfa/prompt-for-mfa-totp.twig
+++ b/modules/material/themes/material/mfa/prompt-for-mfa-totp.twig
@@ -76,7 +76,7 @@
{{ '{mfa:remember_this}'|trans }}
-
+
diff --git a/modules/material/themes/material/mfa/prompt-for-mfa-webauthn.twig b/modules/material/themes/material/mfa/prompt-for-mfa-webauthn.twig
index 0138ca6f..779b8ad8 100644
--- a/modules/material/themes/material/mfa/prompt-for-mfa-webauthn.twig
+++ b/modules/material/themes/material/mfa/prompt-for-mfa-webauthn.twig
@@ -139,7 +139,7 @@
{{ '{mfa:remember_this}'|trans }}
-
+
diff --git a/modules/mfa/public/prompt-for-mfa.php b/modules/mfa/public/prompt-for-mfa.php
index 21ee838a..29530c7b 100644
--- a/modules/mfa/public/prompt-for-mfa.php
+++ b/modules/mfa/public/prompt-for-mfa.php
@@ -74,6 +74,8 @@
$rememberMe = filter_input(INPUT_POST, 'rememberMe') ?? false;
+ Mfa::setRememberMePreferenceCookie($rememberMe);
+
// NOTE: This will only return if validation fails.
$errorMessage = Mfa::validateMfaSubmission(
$mfaId,
@@ -126,6 +128,7 @@
$t->data['manager_email'] = $state['managerEmail'];
$t->data['other_options'] = $otherOptions;
$t->data['idp_name'] = $t->getEntityDisplayName($state['IdPMetadata']);
+$t->data['rememberMePreference'] = filter_input(INPUT_COOKIE, 'remember_me_preference') ?? '';
$t->send();
$logger->info(json_encode([
diff --git a/modules/mfa/src/Auth/Process/Mfa.php b/modules/mfa/src/Auth/Process/Mfa.php
index ca03f60c..8eef6cc6 100644
--- a/modules/mfa/src/Auth/Process/Mfa.php
+++ b/modules/mfa/src/Auth/Process/Mfa.php
@@ -495,6 +495,8 @@ public static function validateMfaSubmission(
// Set remember me cookies if requested
if ($rememberMe) {
self::setRememberMeCookies($state['employeeId'], $state['mfaOptions']);
+ } else {
+ self::clearRememberMeCookies();
}
$logger->warning(json_encode([
@@ -808,6 +810,33 @@ public static function setRememberMeCookies(
setcookie('c2', $expireDate, $expireDate, '/', null, $secureCookie, true);
}
+ /**
+ * Clear remember_me cookies (c1 and c2)
+ */
+ public static function clearRememberMeCookies(): void
+ {
+ $secureCookie = Env::get('SECURE_COOKIE', true);
+ setcookie('c1', '', time() - 3600, '/', null, $secureCookie, true);
+ setcookie('c2', '', time() - 3600, '/', null, $secureCookie, true);
+ }
+
+ public static function setRememberMePreferenceCookie(bool $rememberMe): void
+ {
+ $secureCookie = Env::get('SECURE_COOKIE', true);
+ setcookie(
+ 'remember_me_preference',
+ $rememberMe ? 'checked' : '',
+ [
+ 'expires' => $rememberMe ? time() + (86400 * 30) : time() - 3600,
+ 'path' => '/',
+ 'domain' => null,
+ 'secure' => $secureCookie,
+ 'httponly' => true,
+ 'samesite' => 'Lax'
+ ]
+ );
+ }
+
protected static function shouldPromptForMfa(array $mfa): bool
{
return (strtolower($mfa['prompt']) !== 'no');