/** * Validates the inputs of the tbl_users, checks if password is correct etc. * If successful, user is returned * * @param $user_name * @param $user_password * * @return bool|mixed */ private static function validateAndGetUser($user_name, $user_password) { // get all data of that user (to later check if password and password_hash fit) $result = UserModel::getUserDataByUsername($user_name); // Check if that user exists. We don't give back a cause in the feedback to avoid giving an attacker details. if (!$result) { Session::add('feedback_negative', Text::get('FEEDBACK_LOGIN_FAILED')); return false; } // block login attempt if somebody has already failed 3 times and the last login attempt is less than 30sec ago if ($result->user_failed_logins >= 3 and $result->user_last_failed_login > time() - 30) { Session::add('feedback_negative', Text::get('FEEDBACK_PASSWORD_WRONG_3_TIMES')); return false; } // if hash of provided password does NOT match the hash in the database: +1 failed-login counter if (!password_verify($user_password, $result->user_password_hash)) { self::incrementFailedLoginCounterOfUser($result->user_name); // we say "password wrong" here, but less details like "login failed" would be better (= less information) Session::add('feedback_negative', Text::get('FEEDBACK_PASSWORD_WRONG')); return false; } // if user is not active (= has not verified account by verification mail) if ($result->user_active != 1) { Session::add('feedback_negative', Text::get('FEEDBACK_ACCOUNT_NOT_ACTIVATED_YET')); return false; } return $result; }