//$_SESSION['_staff']=array(); #Uncomment to disable login strikes.
$msg = _('Invalid login');
if ($_SESSION['_staff']['laststrike']) {
if (time() - $_SESSION['_staff']['laststrike'] < $cfg->getStaffLoginTimeout()) {
$msg = _('Excessive failed login attempts');
$errors['err'] = _('You\'ve reached maximum failed login attempts allowed.');
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike'] = null;
$_SESSION['_staff']['strikes'] = 0;
}
}
if (!$errors && ($user = new StaffSession($_POST['username'])) && $user->getId() && $user->check_passwd($_POST['passwd'])) {
//update last login.
$user->update_lastlogin($user->getId());
//Figure out where the user is headed - destination!
$dest = $_SESSION['_staff']['auth']['dest'];
//Now set session crap and lets roll baby!
$_SESSION['_staff'] = array();
//clear.
$_SESSION['_staff']['userID'] = $_POST['username'];
$user->refreshSession();
//set the hash.
$_SESSION['TZ_OFFSET'] = $user->getTZoffset();
$_SESSION['daylight'] = $user->observeDaylight();
Sys::log(LOG_DEBUG, 'Staff login', sprintf('%s ' . _('logged in'), $user->getUserName()), $user->getUserName());
//Debug
//Redirect to the original destination. (make sure it is not redirecting to login page.)
$dest = $dest && (!strstr($dest, 'login.php') && !strstr($dest, 'ajax.php')) ? $dest : 'index.php';
session_write_close();
