function print_settings_page() { $uid = get_user_id(); $username = get_user_name(); //check of otp auth has been enabled on account $otp_auth_enabled = user_getotpauth($uid); //retrieves otp_enabled flag from user table print "<h1>Welcome, {$username}, to the account settings page</h1>"; print " (<a href='logout.php'>logout</a> | <a href='settings.php'>account settings</a>)"; print "<h3>Your preferences</h3>"; print "<hr size=1 noshade>"; print "<form action='settings.php' method='post'>"; print "<a href='gen_otp_list.php'>Generate new otp list</a><br/><br/>"; if ($otp_auth_enabled) { print "<input type='checkbox' name='require_otp' checked>Require OTP login"; } else { print "<input type='checkbox' name='require_otp'>Require OTP login"; } print "<br/>"; print "<br/>"; print "<input type='submit' name='update' value='update'>"; print "</form>"; }
//check to see if user is already authenticating //this prevents RFC 2289 specified race condition //while ($session['locked']) { while (locked_for_authentication($uid, $session['session_hash'])) { /* spin until lock is released or timeout happens */ $session = user_getsession($uid); if (spinlock_timeout_reached()) { header("Location: retry.php"); exit; } } //lock account while authenticating set_session_lock($uid); //sets "locked" flag on session table //check of otp auth has been enabled on account $otp_auth_enabled = user_getotpauth($uid); //retrieves otp_enabled flag from user table if ($otp_auth_enabled) { if ($session['otp_auth']) { /* success, user has already authenticated with otp */ } else { /* user has logged in but not otp auth'd */ //untrusted_host() compares the IP of the current //session with the user's specified trusted list if (trusted_host($uid)) { /*user is coming from address which won't require OTP auth */ } else { /* user must otp auth */ header("Location: otp_challenge.php"); exit; }