Google account login using 2FA isn’t remembered across sessions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
webbrowser-app (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
This has been reliably reproduced on desktop and a phone running webbrowser-app 0.23+16.
Steps to reproduce:
1) wipe your session data (make a backup first if you care) by removing ~/.local/
2) launch webbrowser-app
3) browse to https:/
4) log in with an account that uses 2FA (I’m testing with a @canonical.com address)
5) read your e-mails
6) close the browser window
7) launch webbrowser-app again
Expected result: you’re back to your inbox, logged in and ready to work
Actual result: google prompts you for your e-mail address. Once entered, the login happens automatically, there is no need to do the 2FA dance again.
Changed in webbrowser-app (Ubuntu): | |
status: | New → Invalid |
I think this is really a Google feature, not a bug.
From what we observed, corporate / 2fa accounts userids are stored as /session cookies/ and thus only survive for the lifetime of a browser session. We think this is on purpose, to force an userid confirmation "every morning" or so, as defined by a new browser session start.