I am writing my own 2FA functionality (I know that django-otp and django-two-factor-auth exist, this is just for fun). Everything is fine except for the log in view. I know that you can use the following to authenticate the user:
user = authenticate(request, username=cd['username'],password=cd['password'])
login(request, user)
What I want to do though is pass the user variable into the .view function that I will be using to do the 2FA on. That way, once the user enters their totp, I can use the already authenticated user as the user in the login function. Everything is fine other than on how to pass this data along. Is it safe security wise to pass the user along via sessions? I would something like:
request.session['authenticate_user'] = user
And in the 2FA view put the following to retrieve the user:
user = request.session.get('authenticate_user', None)
I know that passing the password along is not safe, even if it is encrypted. Is the way I am proposing alright to do though? Would I have to serialise the user model which would expose the password, leaving the point of doing this mute? If it is not safe, what should you do instead? I have contemplated posting the password and user to the view using the requests module. Would this be security safe as an alternative, assuming it is not safe to save the user to sessions? I would of course ensure the session is deleted when coming out of the 2FA page. No help is needed with the actual coding, I just want to know if what I am thinking of doing is safe or not. Would using AJAX be better? Thank you
I have decided to not do any of my proposed solutions. Instead I am going to split the login into parts. First they will put their name into a form with only a username field. Then if they have 2FA active, It will return a form with the totp as well as the password, and if not, then it will give them a form with just a password field. I will then be able to authenticate without any security issues. I would still love to know the answer to the question though for general knowledge purposes!