I have a setup, where a single vhosted TwoFactorAuth is serving multiple vhost servers. In this case the cookies must be bound to the protected vhost instead of the TwoFactorAuth vhost.
Looks like this line in login.php :
$domain = ($_SERVER['HTTP_HOST'] !== 'localhost') ? $_SERVER['SERVER_NAME'] : false;
is checking for the correct Host request header but then is using the SERVER_NAME instead, which seems wrong. I guess the more correct code would be:
$domain = (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] !== 'localhost') ? $_SERVER['HTTP_HOST'] : false;
I have a setup, where a single vhosted TwoFactorAuth is serving multiple vhost servers. In this case the cookies must be bound to the protected vhost instead of the TwoFactorAuth vhost.
Looks like this line in
login.php:is checking for the correct
Hostrequest header but then is using theSERVER_NAMEinstead, which seems wrong. I guess the more correct code would be: