Improve MFA

Temporarily save username and password during MFA login to session file and not into hidden input

system/admin/views/login-mfa.html.php

@@ -1,4 +1,8 @@
 <?php if (!defined('HTMLY')) die('HTMLy'); ?>
+<?php
+$_SESSION["mfa_uid"] = $username;
+$_SESSION["mfa_pwd"] = $password;
+ ?>
 <style>.error-message ul {margin:0;padding:0;}</style>
 <?php if (isset($error)) { ?>
     <div class="error-message"><?php echo $error ?></div>
@@ -6,8 +10,6 @@
 <h1><?php echo i18n('Login');?></h1>
 <form method="POST" action="login-mfa">
     <input type="hidden" name="csrf_token" value="<?php echo get_csrf() ?>">
-    <input type="hidden" name="user" value="<?php echo $username; ?>">
-    <input type="hidden" name="password" value="<?php echo $password; ?>">
     <label><?php echo i18n('MFACode');?></label>
     <input type="text" class="form-control" name="mfacode" placeholder="<?php echo i18n('verify_code'); ?>"/>
     <br>

system/htmly.php

@@ -221,8 +221,8 @@ post('/login', function () {
 post('/login-mfa', function () {
 
     $proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
-    $user = from($_REQUEST, 'user');
-    $pass = from($_REQUEST, 'password');
+    $user = $_SESSION["mfa_uid"];
+    $pass = $_SESSION["mfa_pwd"];
     $mfacode = from($_REQUEST, 'mfacode');
     $mfa_secret = user('mfa_secret', $user);
     $google2fa = new Google2FA();

system/includes/session.php

@@ -1,7 +1,7 @@
 <?php
 $samesite = 'strict';
 if(PHP_VERSION_ID < 70300) {
-    session_set_cookie_params('samesite='.$samesite);	
+    session_set_cookie_params('samesite='.$samesite);
 } else {
     session_set_cookie_params(['samesite' => $samesite]);
 }
@@ -16,5 +16,11 @@ function login()
     } else {
         return false;
     }
-
+}
+
+if (rtrim($_SERVER['REQUEST_URI'], '/') != rtrim(site_path() . '/login-mfa', '/')) {
+    if (isset($_SESSION['mfa_pwd']) && isset($_SESSION['mfa_uid'])) {
+        unset($_SESSION['mfa_pwd']);
+        unset($_SESSION['mfa_uid']);
+    }
 }