Remember OTP token for hours

[awais786]

I want to implement remember otp for few hours 10 hrs. Means on first attempt admin gives userid/password an then give the OTP and for next 10 hrs when admin try to login again then it asks for userid/password only and skip the OTP till the 10 hrs.

Whats the best place to implement this in codebase.

[Bouke]

Great idea. Google has the option to remember a computer for 30 days. Maybe a feature like that will make it someday into this app as well.

Verifying and storing the OTP device is performed by django-otp. See the login method, OTPMiddleware and otp_required decorator. Also have a look at the settings for your sessions, expiring sessions will also invalidate OTP logins.

[awais786]

We may need cookie for this ?

[Bouke]

If you're going to override said methods, you could also choose to set an expiry time in the session. However the session should not have a too short expiration time. Otherwise, a signed/encrypted cookie is also a good idea.

[Bouke]

If you have any additional questions, please let me know.

[awais786]

I have implemented it in following way. I added the checkbox in AuthenticationTokenForm.
And When done method executes i generates the cookie and return to browser. and when next time user come to login then after AuthenticationForm post i check that is there any valid cookie exists for this user. if cookie exists then i login the user. This solution looks simple but to open the two_factor apps urls like backup tokens i ask for the token. What do u think about this approach ?

[Bouke]

It seems like a solid approach. You could also extend has_token_step and has_backup_step to skip the token part on login, instead of your current approach.

[awais786]

Ok i will try this. I will also suggest you to add this feature in master. Very minor change but solid feature.

[awais786]

if you want i can do this and send you the pull request.

[shanx]

I would love to have a look at your work! Since I'm looking into implementing this myself, I don't see it in your fork.

[danielquinn]

I ended up here as I was trying to figure out how to do this and haven't had any success yet. Was this issue solved in some other way or abandoned as something the implementing developer should handle?

If it's the latter, how did you lot do this?

[compsult]

What do you think about this approach?

1 - Add date column to user_sessions_session called "last_validated"
2 - datestamp "last_validated" upon a successful token login
3 - Modify OTPRequiredMixin to
- query user_sessions_session, if user/agent/ip was "last_validated" in {{trusted_days}}
- allow access if authenticated ( without token )

[Bouke]

I rather not record this in the database, but some ephemeral instead (e.g. signed cookie or django session). I think a cookie would be best in this instance, scoped to the login view's path.

[diegobill]

👍

[beckedorf]

I just started a new attempt. But still WIP #352