2 phase ajax-based authentication

We have an ajax application that requires two steps, first user enters user name and password, then if it's correct, a challange question is presented. what's the best practice to manage the process? I plan to generate a temp session id after the first phase to be used in the second phase. And then a permanant session id is generated after challange question is answered correctly in the second pha开发者_运维百科se. This permanant session id will be used in subsequent requests. Will the session ids have to be explicitly passed as parameters in the ajax calls? any advises are appreciated.

There are basically two methods for session management: with an extra parameter on each request, which requires URL rewriting of all the links, or with a cookie.