I having to login various CF acc every hour while work, It’s annoying after log out it will ask Google Auth again and again when I wish to login my own… I know Security is important without a question, but making paranoid and obscurity is not.
Can you please bring Trust this device for 7 days kind of thing? It would be helpful. An example -
Sign in to CloudflarePassword
Sign in
Trust this device | Continue
I’m seeing the same thing. It used to work. I think something broke a few weeks ago and it’s not remembering logins. Someone mentioned something about it now using a session cookie, but I haven’t pursued the issue.
Maybe a cookie-wise @MVP can take a look at the cookie and explain this to me using small words.
Using Firefox perhaps?
Thinking that this might be related:
This happened before 86. And 86 shouldn’t affect it, as I’m using the same cookie jar as the day before. I really think it has to do with when Remember Me broke a couple weeks ago.
You’re probably right.
Are we talking logging in to the dashboard or somewhere else?
Yep. Dashboard(s). Community “Remembers Me” day after day. Dashboard doesn’t remember me once I quit Firefox.
Sorry, I am Google Chrome user.
To ensure this message reaches in right context, let me re-phrase with repro steps
Problem Description: Remember me doesn’t respect Two Factor Auth on a Browser.
My browser: Chrome Version 88.0.4324.190 (Official Build) (64-bit)
Condition
Steps to reproduce the issue
Sign with ‘Remember me’ checked
CF will ask to enter TFA code.
Now click Log out
Login your own CF
Again, it will ask TFA code.
Why asking TFA every time when I had checked Remember me?
The system should recognize my browser fingerprint. && IP, when both at least doesn’t change then do not bother again and again.
It does seem to be Firefox specific though, I’m being kept logged in when I try this with Chrome.
Ah, probably related to TFA then, which I noticed like a month back that I was being logged out all the time.
Due to this reason, many time I had to turn off Google auth but just because invited account enforce TFA, I having to enable again and over that not all clients share in that way so I could just have my own acc logged in 24*7. Sometime, I just have to use my client credentials directly to access their account… and then this experience begin. It feels like struggle.
I do recall some info from a while ago in a discussion with @ggalow. I’m not sure if this is still the case, though.
Essentially. it was the case that if you click the log out button rather than the session timing out, all remember me cookies are cleared.
By default, your login will timeout after 24hrs of inactivity and the remember me cookies (CF_UALE for credentials and _cf_uticket for bypassing 2FA) will work.
If you sign out manually, both those cookies should be removed and you will need to put all your details again.
No idea if that helps with troubleshooting, or if it still works the same way.
I have the same problem in Safari on Big Sur and iOS. It has being going on for a few weeks at least.
I never sign out. At one point, it was so bad that Teams dashboard would log me out after some amount of idle time. But quitting Firefox, then coming back later that day forces me to log in again.
@domjh is right regarding “Essentially. it was the case that if you click the log out button rather than the session timing out, all remember me cookies are cleared.”
As a point of safety, if you purposely log out we clear all cookies related to your login including remember me. It doesn’t make sense for Cloudflare to ‘remember you’ if you asked us to log you out.
This is not to say we haven’t had reports of issues with remember me in general (though many cases are due to ‘testing with log out’). It has been extremely difficult for us to debug or reproduce these though. We also have some less obvious security rules like: if you IP changes during a single session, we will invalidate the session. This is done to prevent cookie hijacks.
Very likely we will be removing ‘remember me’ as a general security precaution. The cookie it leaves is quite powerful and reduces customer security especially when they have 2FA enabled.
This happened to me too recently. So annoying.
Removing the remember me option is not a viable solution…
For me (and for many other users I guess) I am not willing to:
Unless you reinstate the remember feature (which I hope you will), I’ll just go ahead and remove 2FA entirely for my account. Crossing my finger for nobody to gain access to my now insecure account.
I don’t understand this move, too much security leads to less security… You are the only website I use 2FA on that did this, you are reducing the interest in two factor authentification.
Regards,