$_SESSION["login_delay"] = time() + $login_timeout; } // if login delay has expired, reset login attempts, else send to locked page if (time() > $_SESSION["login_delay"]) { $_SESSION["login_attempts"] = 0; unset($_SESSION["login_attempts"], $_SESSION["login_time"], $_SESSION["login_delay"]); } else { header("Location:locked.php"); exit; } } if (isset($_POST["username"]) && isset($_POST["password"]) && $_POST["action"] == "login") { // Host names from where the form is authorized to be posted from: // $authHosts = array("woosterstock.co.uk", "new.wooster-1.titaninternet.co.uk", "wsvitaly.acp.local"); //@lookup $authHosts = WS::getAuthHosts(); // if no authhosts defined - we just ignore this. and allow to login from any host. // this logic is not logic, don't know why it is needed here. // @vitaly if ($authHosts) { // Where have we been posted from? $fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER'])); // Test to see if the $fromArray used www to get here. $wwwUsed = strpos($fromArray['host'], "www."); // Make sure the form was posted from an approved host name. if (!in_array($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1), $authHosts)) { echo ' <p>Invalid Referer</p>'; exit; } }