Tiny Tiny RSS: Community

Chrome 74 breaks two factor authentication

#1

Describe the problem you’re having:
After upgrade to Chrome 74, no longer can login using two factor authentication. Upon entering 6 digit code, receive “Session failed to validate (UA changed).” message.

If possible include steps to reproduce the problem:
Login entering userid/password - then enter 6 digit token.

tt-rss version (including git commit id):

adc2a5169…4a21642f0; master -> origin/master
Updating adc2a5169…4a21642f0
Fast-forward
CONTRIBUTING.md | 20 ++++++++++++±------
1 file changed, 13 insertions(+), 7 deletions(-)

Platform (i.e. Linux distro, PHP, PostgreSQL, etc) versions:
Fedora 29

Please provide any additional information below:
This appears to be specific to Chrome 74. Chrome 73 worked fine. Works fine with Firefox also.

I also discovered that things appear to work fine in “incognito mode”. This issue occurs in Chrome 75 (Beta) and Chrome 76 (Devel).

#2

I found the problem. Fedora installs an extension called: Fedora User Agent

Starting with Chrome 74, it no longer is compatible with TTRSS. AFAIK it really isn’t needed since it apparently only modifies your User-Agent string to contain the name of Fedora Linux distribution.

I don’t know if this is something that needs to be modified on the Fedora side or the TTRSS side to resolve.

#3

…or just uninstall the unrequested and un-needed extension package that Fedora foisted on their users and be done with it?

#4

Well, that’s all fine and good, but clearly something changed in Chrome which going forward is having unintended consequences. I also just checked several other sites which use 2 factor: amazon, facebook, google, etc. and they are all working fine with the Fedora extension enabled - which leads me to suspect that this error is specific to the two factor implementation in TTRSS.

#5

2FA works just fine for me with latest chrome so there’s nothing inherently broken here. then again i’m not using fedora. :roll_eyes:

you can disable session binding to user agent via config.php (_SESSION_SKIP_UA_CHECKS).

#6

Thanks for the tip on the config.php setting… I’ll do that.

#7

Given that this works in incognito mode, wouldn’t just clearing the cookies for your TT-RSS site fix the issue? I’ve occasionally had weird issues like this and that fixes it.

I think you can even force TT-RSS to wipe the session by visiting:

 https://yourdomain.tld/backend.php?op=logout