Try to use browser storage instead of fingerprint in StayConnected (#2881) (!326) · Merge requests · LemonLDAP NG / lemonldap-ng

Yadd requested to merge use-totp-for-stay-connected into v2.0 Feb 27, 2023

Design:

registration:
- server sends a proposed TOTP secret
- if browser has a local storage, it stores the key and use it to generate TOTP
- else it downloads fingerprint2.js and does like before
- if server gets a valid TOTP, it stores the TOTP secret in permanent session, esle it does like before
authentication
- when cookie exists, server sends the same HTML/JS than registration
- if browser has TOTP secret in its storage, it uses it
- else it downloads fingerprint2.js and does like before
- if server gets a valid TOTP or a valid fingerprint (if no secret were stored) => OK

Edited Feb 28, 2023 by Yadd

Try to use browser storage instead of fingerprint in StayConnected (#2881)