From 0ac5c8ec624d0df3784004c9dce555b7a419982d Mon Sep 17 00:00:00 2001
From: Moritz Strohm <strohm@data-quest.de>
Date: Wed, 6 Dec 2023 10:51:32 +0000
Subject: [PATCH] include user-ID in cookie for TFA, fixes #3533

Closes #3533

Merge request studip/studip!2422
---
 lib/classes/TwoFactorAuth.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/classes/TwoFactorAuth.php b/lib/classes/TwoFactorAuth.php
index 3582b6fdb7a..5373c9aa3f5 100644
--- a/lib/classes/TwoFactorAuth.php
+++ b/lib/classes/TwoFactorAuth.php
@@ -55,7 +55,7 @@ final class TwoFactorAuth
     {
         // Remove cookie
         setcookie(
-            self::COOKIE_KEY,
+            self::COOKIE_KEY . '/' . $GLOBALS['user']->id,
             '',
             strtotime('-1 year'),
             $GLOBALS['CANONICAL_RELATIVE_PATH_STUDIP']
@@ -149,8 +149,9 @@ final class TwoFactorAuth
         }
 
         // Trusted computer?
-        if (isset($_COOKIE[self::COOKIE_KEY])) {
-            list($code, $timeslice) = explode(':', $_COOKIE[self::COOKIE_KEY]);
+        $user_cookie_key = self::COOKIE_KEY . '/' . $GLOBALS['user']->id;
+        if (isset($_COOKIE[$user_cookie_key])) {
+            list($code, $timeslice) = explode(':', $_COOKIE[$user_cookie_key]);
             if ($this->secret->validateToken($code, (int) $timeslice, true)) {
                 $this->registerSecretInSession();
                 return;
@@ -255,7 +256,7 @@ final class TwoFactorAuth
 
         $timeslice = mt_rand(0, PHP_INT_MAX);
         setcookie(
-            self::COOKIE_KEY,
+            self::COOKIE_KEY . '/' . $GLOBALS['user']->id,
             implode(':', [$this->secret->getToken($timeslice), $timeslice]),
             $lifetime,
             $GLOBALS['CANONICAL_RELATIVE_PATH_STUDIP']
-- 
GitLab