Forget login session keys after successful 2FA challenge

login.id and login.remember were migrated through session regenerate
and never consumed. Cleaning them up prevents the challenge form tag
(which gates on login.id presence) from rendering for a user who has
already authenticated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: jasonvarga

src/Http/Controllers/TwoFactorChallengeController.php

@@ -52,6 +52,8 @@ public function store(TwoFactorChallengeRequest $request)
 
         Auth::guard()->login($user, $request->remember());
 
+        $request->session()->forget(['login.id', 'login.remember']);
+
         $request->session()->elevate();
 
         $request->session()->regenerate();

tests/Tags/User/TwoFactorChallengeFormTest.php

@@ -90,6 +90,22 @@ public function it_completes_challenge_and_redirects()
         $this->assertAuthenticatedAs($user);
     }
 
+    #[Test]
+    public function it_clears_login_session_keys_after_successful_challenge()
+    {
+        $user = $this->userWithTwoFactorEnabled();
+
+        $this
+            ->session(['login.id' => $user->id(), 'login.remember' => true])
+            ->post(route('statamic.two-factor-challenge'), [
+                'code' => $this->getOneTimeCode($user),
+                '_redirect' => '/dashboard',
+            ])
+            ->assertRedirect('/dashboard')
+            ->assertSessionMissing('login.id')
+            ->assertSessionMissing('login.remember');
+    }
+
     #[Test]
     public function it_completes_challenge_with_recovery_code_and_redirects()
     {