Called providers session value is never unset

[kriswillis]

Bundle version: 4.18.1
Symfony version: 3.4.43

Description
Once prepareAuthentication() is called for the first time, the firewall/provider combination is recorded under the 2fa_called_providers session key; however, it is never removed after a successful authentication.

If you log out and back in, the 2FA form is displayed but no code is generated/sent out because prepareAuthentication() is not called again due to the presence of the 2fa_called_providers session value from the previous login.

Is the intention for the user to re-use the previous auth code?

Additional Context
I'm using a custom provider, but I don't think that makes any difference. From what I can see, the TwoFactorProviderPreparationRecorder class contains methods for checking if a provider is prepared and recording that a provider is prepared, but nothing for "un-preparing" them.

[scheb]

Are you sure about this? To my knowledge, when you log out, the session is terminated. So you start with a fresh new session, that therefore doesn't have the session attribute set.

I believe that's the component responsible for terminating the session: https://github.com/symfony/symfony/blob/3.4/src/Symfony/Component/Security/Http/Logout/SessionLogoutHandler.php

[kriswillis]

Ah hah, I have invalidate_session set to false in my firewall config. I'll have to investigate why we have it set like this. I can add a logout event subscriber to unset the value if I need to…

Thanks for the super quick response 👍

[scheb]

Ah, wasn't aware about that invalidate_session option. Under these circumstances it would actually make sense to unset the value.

[scheb]

Well, that was an easy one. v4.18.2 is here for the rescue.