Preserve 'remember me' choice across 2FA

Carry the login "remember me" choice through two-factor authentication by storing it in the session. When a user initially logs in, set $_SESSION['pending_remember'] = $remember; after successful 2FA, TwoFactorController checks and clears that flag and invokes a new public wrapper (createRememberTokenPublic) on AuthController to create the persistent remember token. This allows remember-me behavior to be applied only after 2FA completes.
2026-03-10 23:04:20 +02:00
parent a265a58456
commit 36abf58838
2 changed files with 17 additions and 0 deletions
--- a/app/Controllers/AuthController.php
+++ b/app/Controllers/AuthController.php
@@ -156,6 +156,7 @@ class AuthController extends Controller
            $_SESSION['email'] = $user['email'];
            $_SESSION['role'] = $user['role'];
            $_SESSION['2fa_required'] = true;
+            $_SESSION['pending_remember'] = $remember;
            
            // Clear any existing session messages before redirecting to 2FA
            unset($_SESSION['error']);
@@ -706,6 +707,14 @@ class AuthController extends Controller
        }
    }

+    /**
+     * Public wrapper for creating remember token (used by TwoFactorController after 2FA)
+     */
+    public function createRememberTokenPublic(int $userId): void
+    {
+        $this->createRememberToken($userId);
+    }
+
    /**
     * Create remember me token linked to current session
     */