session_start(); if ($_POST) { if (empty($_POST[AuthController::LOGIN_FORM_USER]) || empty($_POST[AuthController::LOGIN_FORM_PASS])) { $flash = array(); $flash['class'] = 'danger'; $flash['message'] = 'Please enter a username and password'; } else { if (!CaptchaController::validate_captcha($_POST[AuthController::LOGIN_FORM_CAPTCHA])) { $flash = array(); $flash['class'] = 'danger'; $flash['message'] = 'Invalid captcha'; } else { $user = $_POST[AuthController::LOGIN_FORM_USER]; $pass = $_POST[AuthController::LOGIN_FORM_PASS]; //authenticate if (AuthController::is_authenticated($user, $pass)) { //save in session AuthController::save_auth($user); //redirect $redirect_url = !empty($_SESSION[AuthController::SESSION_REDIRECT_URL_KEY]) ? $_SESSION[AuthController::SESSION_REDIRECT_URL_KEY] : AuthController::LOGGED_IN_HOME_URL; http_response_code(302); header('Location: ' . $redirect_url); die; } else { //randomize sleep to timing string length attacks usleep(rand(AuthController::LOGIN_FAILED_TIMEOUT_MIN, AuthController::LOGIN_FAILED_TIMEOUT_MAX)); $flash = array(); $flash['class'] = 'danger'; $flash['message'] = 'Invalid username or password'; } }