You should use your custom Authenticator (see docs for Server
development -> Authentication SPI). So the idea is to put this
authenticator (Optional requirement) inside browser flow right after
Cookie. It will check whether user is authenticated or not (if user was
authenticated it means that Cookie worked). Then it will show form that
you described via its challenge() method, and process user reaction in
action() method. If you don't fully understand what i've wrote check
docs and you definitely should get the idea. Cheers.
Show replies by date