Stuck in an MFA loop when running passbolt under http://


Have just gone throught the setup. Got the 1st user on. Enabled MFA and now cant get back in. No error, it just keeps asking for the OTP.


We have seen this issue in some rare cases for example:

  • when the user agent changes, for example due to the default extension installed Fedora.
  • when the cookie settings are preventing the MFA cookie to be set

Can you provide more information about your setup?
Since you are a pro subscriber you can also contact us on

Thanks for getting back to me. I am running the latest version of the VM install. I have changed the times to make sure the time on the server matches my local area. I have also cleared my cookies. I have tried the firefox and edge plugins.

Do you use passbolt with http:// ?

yes we have not put a certificate on it for HTTPS yet

Ok that’s most likely the reason. If you do not have https enable, passbolt will refuse to set unsecure MFA cookies, unless you force the config to a “non secure” mode.

For this you will need to add in your passbolt.php (in your passbolt directory under config/passbolt.php). Don’t forget to turn this off later once you have certificate setup:

    // find this section
    'passbolt' => [
       // add this
        'security' => [
            'cookies' => [
                'secure' => false
     // leave the rest of the file

You can also use the PASSBOLT_SECURITY_COOKIE_SECURE environment variable otherwise.

The best at this point, in my opinion, unless you are just testing, would be to get a proper domain and certificate, and perform a clean reinstall so that your instance is secure from the start. If the domain url change you will in any case need to “recover” your account to sync it with the new URL, so it might be worth it before you go to far.

I hope this helps!

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.