Tiny Tiny RSS: Community

Chrome 74 breaks two factor authentication

Describe the problem you’re having:
After upgrade to Chrome 74, no longer can login using two factor authentication. Upon entering 6 digit code, receive “Session failed to validate (UA changed).” message.

If possible include steps to reproduce the problem:
Login entering userid/password - then enter 6 digit token.

tt-rss version (including git commit id):

adc2a5169…4a21642f0; master -> origin/master
Updating adc2a5169…4a21642f0
Fast-forward
CONTRIBUTING.md | 20 ++++++++++++±------
1 file changed, 13 insertions(+), 7 deletions(-)

Platform (i.e. Linux distro, PHP, PostgreSQL, etc) versions:
Fedora 29

Please provide any additional information below:
This appears to be specific to Chrome 74. Chrome 73 worked fine. Works fine with Firefox also.

I also discovered that things appear to work fine in “incognito mode”. This issue occurs in Chrome 75 (Beta) and Chrome 76 (Devel).

I found the problem. Fedora installs an extension called: Fedora User Agent

Starting with Chrome 74, it no longer is compatible with TTRSS. AFAIK it really isn’t needed since it apparently only modifies your User-Agent string to contain the name of Fedora Linux distribution.

I don’t know if this is something that needs to be modified on the Fedora side or the TTRSS side to resolve.

…or just uninstall the unrequested and un-needed extension package that Fedora foisted on their users and be done with it?

Well, that’s all fine and good, but clearly something changed in Chrome which going forward is having unintended consequences. I also just checked several other sites which use 2 factor: amazon, facebook, google, etc. and they are all working fine with the Fedora extension enabled - which leads me to suspect that this error is specific to the two factor implementation in TTRSS.

2FA works just fine for me with latest chrome so there’s nothing inherently broken here. then again i’m not using fedora. :roll_eyes:

you can disable session binding to user agent via config.php (_SESSION_SKIP_UA_CHECKS).

Thanks for the tip on the config.php setting… I’ll do that.

Given that this works in incognito mode, wouldn’t just clearing the cookies for your TT-RSS site fix the issue? I’ve occasionally had weird issues like this and that fixes it.

I think you can even force TT-RSS to wipe the session by visiting:

 https://yourdomain.tld/backend.php?op=logout