Skip to content

Try to use browser storage instead of fingerprint in StayConnected (#2881)

Yadd requested to merge use-totp-for-stay-connected into v2.0

Design:

  • registration:
    • server sends a proposed TOTP secret
    • if browser has a local storage, it stores the key and use it to generate TOTP
    • else it downloads fingerprint2.js and does like before
    • if server gets a valid TOTP, it stores the TOTP secret in permanent session, esle it does like before
  • authentication
    • when cookie exists, server sends the same HTML/JS than registration
    • if browser has TOTP secret in its storage, it uses it
    • else it downloads fingerprint2.js and does like before
    • if server gets a valid TOTP or a valid fingerprint (if no secret were stored) => OK
Edited by Yadd

Merge request reports