function print_settings_page()
{
$uid = get_user_id();
$username = get_user_name();
//check of otp auth has been enabled on account
$otp_auth_enabled = user_getotpauth($uid);
//retrieves otp_enabled flag from user table
print "<h1>Welcome, {$username}, to the account settings page</h1>";
print " (<a href='logout.php'>logout</a> | <a href='settings.php'>account settings</a>)";
print "<h3>Your preferences</h3>";
print "<hr size=1 noshade>";
print "<form action='settings.php' method='post'>";
print "<a href='gen_otp_list.php'>Generate new otp list</a><br/><br/>";
if ($otp_auth_enabled) {
print "<input type='checkbox' name='require_otp' checked>Require OTP login";
} else {
print "<input type='checkbox' name='require_otp'>Require OTP login";
}
print "<br/>";
print "<br/>";
print "<input type='submit' name='update' value='update'>";
print "</form>";
}
//check to see if user is already authenticating
//this prevents RFC 2289 specified race condition
//while ($session['locked']) {
while (locked_for_authentication($uid, $session['session_hash'])) {
/* spin until lock is released or timeout happens */
$session = user_getsession($uid);
if (spinlock_timeout_reached()) {
header("Location: retry.php");
exit;
}
}
//lock account while authenticating
set_session_lock($uid);
//sets "locked" flag on session table
//check of otp auth has been enabled on account
$otp_auth_enabled = user_getotpauth($uid);
//retrieves otp_enabled flag from user table
if ($otp_auth_enabled) {
if ($session['otp_auth']) {
/* success, user has already authenticated with otp */
} else {
/* user has logged in but not otp auth'd */
//untrusted_host() compares the IP of the current
//session with the user's specified trusted list
if (trusted_host($uid)) {
/*user is coming from address which won't require OTP auth */
} else {
/* user must otp auth */
header("Location: otp_challenge.php");
exit;
}
