So basically i want to achieve something similar to Google Two-factor authentication implementation. My login form consists of a 2-step form wizard:
The usage scenarios would be:
I'm subclassing django's Form Wizard now to be used as my login view. In Step 2, by default Django FormWizard will include field values from previously submitted forms as hidden fields. But as you know, password is entered in Step 1, so I don't want to include it in Step 2 for security reasons.
My first thought would be to use session to indicate if a user has passed Step 1, so I don't need to include field values from Step 1.. but I may be overlooking something here. What are the more secure solutions to this?
Also I don't quite understand the use of security-hash in FormWizard. Can someone explain?
Thanks a lot.
I'm not exactly getting the point of the security token, but it would seem simpler and faster if you forgo extending the FormWizard and just implement it as two separate views. The whole point of the FormWizard is to break and aggregate several forms into one and your particular use case goes against it—you'd just be hacking it to functionally do something otherwise.
As for the security hash, it calculates a hash for all of the form data from successfully completed steps. This is just a security measure to ensure that the form data has not changed/been tampered with inbetween steps and that none of the steps were otherwise bypassed somehow.