Because relogin or ActionNeeded can happen during the handle_otp, solely
relying on the presence of the otp config value may cause some issue. We
might already have validated the otp once but we will run handle_otp
Also using locate_browser() when handling otp can lead to weird
behaviour. In our case it leads to unavailable page.
To fix this we don't use locate_browser() anymore, instead we store the
otp_form_data and otp_validation_url to use them in handle_otp. We also
use their presence in states to be sure that it's the first time we call