/**
* Checks whether the user submitted a correct POST authentication code and sets a new code when authentication succeeded or too many attempts have been done.
*
* Using this method instead of checking it yourself. This to ensure the
* following:
* - Enforce a consistent API (always the same POST field: POST_auth_code)
* - Refresh the code after a successful check
* - Refresh the code after five failed attempts
*
* @see getPostAuthCode()
* @api
* @return boolean True of the code was correct, false otherwise
*/
public function checkPostAuthCode()
{
$postField = 'POST_auth_code';
// The key of the $_SESSION array field with the number of failed attempts to check a POST authentication code
$postAuthAttempts = 'POST_auth_attempts';
BeeHub::startSession();
if (!isset($_SESSION[$postAuthAttempts])) {
$_SESSION[$postAuthAttempts] = 0;
}
if (!isset($_POST[$postField]) || empty($_POST[$postField]) || $_POST[$postField] !== $this->getPostAuthCode()) {
$_SESSION[$postAuthAttempts]++;
if ($_SESSION[$postAuthAttempts] >= 500) {
// After 500 failed attempts, we unset the key, so a new one should be generated. This is to prevent brute force attempts.
unset($_SESSION[self::$SESSION_KEY]);
$_SESSION[$postAuthAttempts] = 0;
}
return false;
}
$_SESSION[$postAuthAttempts] = 0;
return true;
}
