Implementing a secure two-factor authentication for a login page with Django form wizard -

-

so want achieve similar google two-factor authentication implementation. login form consists of 2-step form wizard:

  1. step 1 (verifying username , password)
  2. step 2 (authenticate security token)

the usage scenarios be:

  1. user has security token associated account: logs user in if user passes step 1 , step 2
  2. user doesn't have security token: logs user in right after passes step 1 only

i'm subclassing django's form wizard used login view. in step 2, default django formwizard include field values submitted forms hidden fields. know, password entered in step 1, don't want include in step 2 security reasons.

my first thought use session indicate if user has passed step 1, don't need include field values step 1.. may overlooking here. more secure solutions this?

also don't quite understand use of security-hash in formwizard. can explain?

thanks lot.

i'm not getting point of security token, seem simpler , faster if forgo extending formwizard , implement 2 separate views. whole point of formwizard break , aggregate several forms 1 , particular use case goes against it—you'd hacking functionally otherwise.

as security hash, calculates hash of form data completed steps. security measure ensure form data has not changed/been tampered inbetween steps , none of steps otherwise bypassed somehow.


Comments

Post a Comment

Popular posts from this blog

Javascript line number mapping -

-
magically formatted comments change reported line number of javascript errors in browsers; this: //@line n "f" n line number , f file name. unfortunately, //@line appears ungoogleable. know there documentation on feature, , browsers support it? (i found references here , here .) from can find available in mozilla based browsers. it using js_setoptions command can turn these options on or off depending on values passed. https://developer.mozilla.org/en/js_setoptions
Read more

c# - Is it possible to remove an existing registration from Autofac container builder? -

-
something along lines: builder.registertype<mytype>().as<itype>(); builder.registertype<mytype2>().as<itype>(); builder.deregistertype<mytype>().as<itype>() var container = builder.build(); var types = container.resolve<ienumerable<itype>>(); assert.istrue(types.count == 1); assert.istrue(types[0].gettype == typeof(mytype2)); scenario: go through bunch of assemblies , go register types want make sure have 1 implementation of given type. need before create container. track on own nice if autofac me bit. this cannot done directly using containerbuilder , unless start on new one. mind you, having first built container should able construct new container filtering away unwanted types , reusing registrations first container. this: ... var container = builder.build(); builder = new containerbuilder(); var components = container.componentregistry.registrations .where(cr => cr.activator.limittype != typ...
Read more

php - Mysql PK and FK char(36) vs int(10) -

-
i have read mysql can handle indexes , searches better if tables keys integers rather char(36) uuid's. is worth converting int(10)? note: use 1 server , have have plans use multiple databases concurrently therefore removing 1 of big reasons using uuid. our tables innodb if makes difference. thanks in advance. usually rdbms can handle integer keys pk more efficient, other datatypes. reason how build index column, yes: long dont require string (or other typed) keys, should use integers. however: char(36) , int(10) far away being equal, because int(10) much smaller, char(36). dont know, if require many different keys, should keep in mind. update, complete last paragraph: int(10) 32-bit, char(36) 36 - ^byte^ (= 288-bit). not mean, int consumes less space, means, char(36) has 4 times more different keys.
Read more