Problem with MFA and connection from a new browser [htaccess Set-Cookie header]

I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue


I’m using Passbolt CE for a few weeks now and i have 3 problems :

  • I can’t active MFA (TOTP) for all users except me. All users, when they go in “settings > MFA”, have a blank page.
    For myself, MFA is enabled, but Passbolt never asked for the TOTP when i login.

  • Actually we are changing all of ours computers, and when i go on the BaseURL on the new computer/browser, i have a blank page, so i cannot connect even if i have my private key and pass phrase.

  • It seems the recovery account feature is only accessible in business version, is there a way to enable this feature, or have an equivalent without business version ?
    If not, that’s not a problem, i can pay for that :slight_smile:

Server: CentOS 7
Webserver: httpd 2.4
Database server: MySQL 5.7
PHP version: php 8.0
Passbolt version: 3.12.0

Installation is from source code and the health check is below:

[user@hostname:~]$ ./www/bin/cake passbolt healthcheck

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams

Passbolt commands should only be executed as the web server user.

 Healthcheck shell         


 [PASS] PHP version 8.0.23.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to 
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate


 [PASS] The application is able to connect to the database
 [PASS] 30 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to .gnupg.
 [PASS] The directory .gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in www/config/passbolt.php and readable.
 [PASS] The private key file is defined in www/config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in www/config/passbolt.php.
 [PASS] The server public key defined in the ww/config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.12.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in www/config/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set to true in www/config/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The www/config/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Or set to true in www/config/passbolt.php.

 [PASS] No error found. Nice one sparky!


Hi @Lithiumx Welcome to the forum!

Seems your post got missed - sorry for that.

Regarding MFA, What does this return for mysql command line:
select value from organization_settings where property='mfa';

When you say you are changing computers and have a blank page, are your new computers able to access the site via the network? (Can they ping the server ip?) A blank page suggests they are either in a different subnet or there is a firewall blocking those new machine ip addresses.

The account recovery feature, where a group of users are able to recover the account of one user, is a PRO version feature. Trial demos using the cloud service are available here: Try Passbolt Cloud - For Free

You can use the cloud service or install a self-hosted version if you decide PRO is a good fit for your needs.


Thx for replying.
I solved all my problems, it was a problem with my htaccess for both:
Header always edit Set-Cookie (.*) “$1; HTTPOnly”

I disabled it and now everything works well.

I am in the process of seeing with my company to find out if we absolutely need the recovery feature.
If so, we’ll upgrade to the PRO version.

In any case, it is not possible for us to have our passwords hosted on the internet, so I cannot use the cloud version.


1 Like