Keep otp_recovery out of the session

Author: helmo

interface/web/login/index.php

@@ -148,7 +148,6 @@ function process_login_request(app $app, &$error, $conf, $module)
 				$_SESSION['otp']['session_attempts'] = 0;
 				$_SESSION['otp']['type'] = $user['otp_type'];
 				$_SESSION['otp']['data'] = $user['otp_data'];
-				$_SESSION['otp']['recovery'] = $user['otp_recovery'];
 
 				//* Redirect to otp script
 				header('Location: otp.php');

interface/web/login/otp.php

@@ -76,10 +76,10 @@ function finish_2fa_success($msg = '') {
 }
 
 //* Handle recovery code
-if(isset($_POST['code']) && strlen($_POST['code']) == $otp_recovery_code_length && $_SESSION['otp']['recovery']) {
+if(isset($_POST['code']) && strlen($_POST['code']) == $otp_recovery_code_length) {
 	//* TODO Recovery code handling
 
-	$user = $app->db->queryOneRecord('SELECT otp_attempts FROM sys_user WHERE userid = ?',$_SESSION['s_pending']['user']['userid']);
+	$user = $app->db->queryOneRecord('SELECT otp_attempts, otp_recovery FROM sys_user WHERE userid = ?',$_SESSION['s_pending']['user']['userid']);
 
 	//* We allow one more try to enter recovery code
 	if($user['otp_attempts'] > $max_global_code_retry + 1) {