-2

I am trying to implement two factor authentication. The login will consist of 2 steps:

  1. Username and password are provided and checked for correctness. If they are correct, and 2FA is not enabled for the account, the user is logged in (a cookie is set). If they are correct and 2FA is enabled, the user is redirected to a page where she has to enter her one time password.

  2. The user enters her one time password and is logged in if it is correct.

When redirecting the user to the OTP page, I need to somehow remember that she already entered the correct password and username. What would be the best way to do that? Is it possible to send post data with a redirect, so that I can just send password and username again? Should I create an intermediate cookie that saves a secret (and also save that secret on the server, seems like a complicated way of doing it?).

I am using flask and mod_auth_tkt (an apache mod for cookie based authentication) if that makes any difference.

Gasp0de
  • 719
  • 1
  • 7
  • 21

1 Answers1

1

Should I create an intermediate cookie that saves a secret (and also save that secret on the server, seems like a complicated way of doing it?).

I guess you could use Flask session for that, just remember to clear it if login/two factor authentication fails!

Documentation: http://flask.pocoo.org/docs/1.0/quickstart/#sessions

vremes
  • 544
  • 1
  • 5
  • 8