$_SESSION["login_delay"] = time() + $login_timeout;
}
// if login delay has expired, reset login attempts, else send to locked page
if (time() > $_SESSION["login_delay"]) {
$_SESSION["login_attempts"] = 0;
unset($_SESSION["login_attempts"], $_SESSION["login_time"], $_SESSION["login_delay"]);
} else {
header("Location:locked.php");
exit;
}
}
if (isset($_POST["username"]) && isset($_POST["password"]) && $_POST["action"] == "login") {
// Host names from where the form is authorized to be posted from:
// $authHosts = array("woosterstock.co.uk", "new.wooster-1.titaninternet.co.uk", "wsvitaly.acp.local");
//@lookup
$authHosts = WS::getAuthHosts();
// if no authhosts defined - we just ignore this. and allow to login from any host.
// this logic is not logic, don't know why it is needed here.
// @vitaly
if ($authHosts) {
// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));
// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray['host'], "www.");
// Make sure the form was posted from an approved host name.
if (!in_array($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1), $authHosts)) {
echo '
<p>Invalid Referer</p>';
exit;
}
}
