diff --git a/conf/defaults.config b/conf/defaults.config
index 7648ba58eb..6936fc6a04 100644
--- a/conf/defaults.config
+++ b/conf/defaults.config
@@ -975,7 +975,7 @@ $twoFA{enabled} = 1;
# the user, or can be directly displayed in the browser on the next page that is
# shown after password verification succeeds.
#
-# If $twoFA{email_sender} is set, then the email approach will be used. In this
+# If $twoFA{email_sender} is set, then the email approach will be used. In this
# case, after a user signs in and the password is verified, the user will be
# sent an email containing a QR code and instructions on how to set up a OTP
# generator app. This is probably a more secure way to set up two factor
@@ -995,6 +995,16 @@ $twoFA{enabled} = 1;
# better to find a valid email address to use for this.
$twoFA{email_sender} = '';
+# When a user signs in and enters the two factor authentication code, the user
+# has the option to skip two factor verification on a given device for
+# subsequent logins. That will only last for the amount of time set as the
+# skip_verification_code_interval. By default this is set to one year. However,
+# good security practices most likely recommend a shorter time interval for
+# this. So change this value if you want to require a shorter and thus more
+# secure time interval before users will need to enter the two factor
+# authentication code again.
+$twoFA{skip_verification_code_interval} = 3600 * 24 * 365;
+
################################################################################
# WeBWorK Caliper
################################################################################
diff --git a/conf/localOverrides.conf.dist b/conf/localOverrides.conf.dist
index d0a5d8ba54..d3e2e5c529 100644
--- a/conf/localOverrides.conf.dist
+++ b/conf/localOverrides.conf.dist
@@ -605,7 +605,7 @@ $mail{feedbackRecipients} = [
# the user, or can be directly displayed in the browser on the next page that is
# shown after password verification succeeds.
#
-# If $twoFA{email_sender} is set, then the email approach will be used. In this
+# If $twoFA{email_sender} is set, then the email approach will be used. In this
# case, after a user signs in and the password is verified, the user will be
# sent an email containing a QR code and instructions on how to set up a OTP
# generator app. This is probably a more secure way to set up two factor
@@ -625,8 +625,18 @@ $mail{feedbackRecipients} = [
# better to find a valid email address to use for this.
#$twoFA{email_sender} = 'noreply@your.school.edu';
+# When a user signs in and enters the two factor authentication code, the user
+# has the option to skip two factor verification on a given device for
+# subsequent logins. That will only last for the amount of time set as the
+# skip_verification_code_interval. By default this is set to one year. However,
+# good security practices most likely recommend a shorter time interval for
+# this. So change this value if you want to require a shorter and thus more
+# secure time interval before users will need to enter the two factor
+# authentication code again.
+#$twoFA{skip_verification_code_interval} = 3600 * 24 * 7;
+
# By default all users with the role of "student" or higher are required to use
-# two factor authentication when signing in with a username and password. If
+# two factor authentication when signing in with a username and password. If
# you want to disable two factor authentication for students, but require it for
# instructors then set the permission level below to "login_proctor" (or
# higher).
diff --git a/lib/WeBWorK/Authen.pm b/lib/WeBWorK/Authen.pm
index e3781b6af0..e56e4d0bef 100644
--- a/lib/WeBWorK/Authen.pm
+++ b/lib/WeBWorK/Authen.pm
@@ -325,7 +325,6 @@ sub get_credentials {
}
my ($cookieUser, $cookieKey, $cookieTimeStamp) = $self->fetchCookie;
- $c->log->info('"' . $cookieUser . '"') if $cookieUser;
if (defined $cookieUser && defined $c->param('user')) {
$self->maybe_kill_cookie if $cookieUser ne $c->param('user');
@@ -497,8 +496,8 @@ sub verify_normal_user {
$c->signed_cookie(
'WeBWorK.2FA.' . $c->ce->{courseName} => b64_encode($user_id) =~ s/\n//gr,
{
- max_age => 3600 * 24 * 365, # This cookie is valid for one year.
- expires => time + 3600 * 24 * 365,
+ max_age => $c->ce->{twoFA}{skip_verification_code_interval},
+ expires => time + $c->ce->{twoFA}{skip_verification_code_interval},
path => $c->ce->{webworkURLRoot},
samesite => $c->ce->{CookieSameSite},
secure => $c->ce->{CookieSecure},
diff --git a/templates/ContentGenerator/TwoFactorAuthentication.html.ep b/templates/ContentGenerator/TwoFactorAuthentication.html.ep
index 65e582d0e4..50a30eac88 100644
--- a/templates/ContentGenerator/TwoFactorAuthentication.html.ep
+++ b/templates/ContentGenerator/TwoFactorAuthentication.html.ep
@@ -47,9 +47,9 @@
<%= label_for skip_2fa => maketext('Skip two factor verification on this device.') =%>
- <%= maketext('If you check the box above, then two factor verification will be skipped from now on when '
- . 'signing in with this browser. This feature is not safe for public workstations, untrusted machines, '
- . 'and machines over which you do not have direct control.') =%>
+ <%= maketext('If you check the box above, then two factor verification will be skipped for a limited '
+ . 'time when signing in with this browser. This feature is not safe for public workstations, '
+ . 'untrusted machines, and machines over which you do not have direct control.') =%>
% if ($authen_error) {
<%= $authen_error =%>