Table of Contents
Troubleshooting
Timeout
If you offer a setup link and you get an error message
403 Forbidden
Token is too old. Send a new request.
The generated button is a form with hidden fields. Clicking on the button sends a POST request to the MFA server. This form is valid for 60 sec. If a user is spending more time on the page and then clicks the MFA setup button he will get that error.
Solution:
- Go back and reload the page to generate a new button. That one can be clicked.
- If it still does not work the clock on your application server or mfa server could be out of sync.
No MFA appears
You didn’t get any mfa message, no error and mfa seems to be skipped completely?
In the mfa-ensure.php enable the last line or put it into your code:
echo $mfa->showStatus();
It will show you if a user still has a valid session aftrer a successful challenge or an error was detected like
- one of the keys is missing or empty in the config:
- ‘api’
- ‘appid’
- ‘shared_secret’
- ‘user’
Debugging
There is a debug mode if you want to dive deeper when a behaviour is not like expected. It prints detailed information about the connection to the mfa server and actions on the client.
Security warning
Do not acrivate it globally and/ or for all users on a productive web app!
Globally enabled
In the “mfaconfig.php” you can enable a flag “debug”:
<?php
return [
"api" => ...
"appid" => ...
"shared_secret" => ...
"debug" => true,
];
Enable by debug method
Inside php code you can use the method debug(<bool>) to enable and disable the debugging.
<?php
require "<APPROOT>/vendor/mfa-client/mfaclient.class.php";
$oMfa = new mfaclient();
// enable debugging
$oMfa->debug(true);
In real life applications you add additional conditions, like a user restriction plus a $_GET variable to limit the debug code to you only.