diff --git a/hiboo/account/login.py b/hiboo/account/login.py
index a0fb870b3bd6e140dc2f377e3fb381e75ab5d953..9669a9e5e2d9b90ea49c12314425b5f4cf4546cd 100644
--- a/hiboo/account/login.py
+++ b/hiboo/account/login.py
@@ -30,18 +30,18 @@ def signin():
 @blueprint.route("/totp/verify", methods=["GET", "POST"])
 def totp_verify():
     form = forms.TotpForm()
-    if "username" not in session:
+    if "username" in session:
+        user = models.User.query.filter_by(username=session["username"]).first() or flask.abort(403)
+    else:
         return flask.redirect(flask.url_for(".signin"))
     if form.validate_on_submit():
-        user = models.User.query.filter_by(username=session["username"]).first()
-        if user and user.auths["totp"].check_totp(form.totp.data):
+        if user.auths["totp"].check_totp(form.totp.data):
             flask_login.login_user(user)
             session.pop("username")
             return flask.redirect(utils.url_or_intent(".home"))
         else:
-            flask.flash(_("Wrong password"), "danger")
-    return flask.render_template("account_totp_verify.html", form=form,
-        action=utils.url_for(".totp_verify"))
+            flask.flash(_("Wrong TOTP"), "danger")
+    return flask.render_template("account_totp_verify.html", form=form)
 
 
 @blueprint.route("/signout")