Files accessible after logout/login in same browser session

[michielbdejong]

• using https://github.com/SUNET/nextcloud-custom
• log in with MFA and create an MFA Zone
• log out and, in the same browser session, log in without MFA

Expected:
The folder should not be accessible
Actual:
The folder is accessible

I'm setting up our dev environment to reproduce this; would be good to try if it also happens when using a private browsing tab, and to see what the values of the session variables are (maybe install MFA Checker for this in the dev setup)

[michielbdejong]

I'm now trying to rebuild a dev env starting from an older version of this repo -> pondersource/dev-stock#50

[michielbdejong]

I'll try this out using:

docker exec -it sunet-ssp-mdb mysql -u root -pr00tp@ssw0rd
use saml;
select * from users;

I think I reproduced the issue!
After clicking "log out", I'm not actually logged out and it still shows MFA verified:

however if I open a new session in a private browsing tab then I do correctly see the MFA Zones as inaccessible:

[michielbdejong]

So based on that observation, I think we're safe!

[michielbdejong]

@mickenordin and [Richard Freitag (?)] what do you think?

[mickenordin]

Ok, that is a good observation, I can reproduce the behaviour. How come the mfa provisioning is not triggered though, so I can give a second factor?