session_start();
if ($_POST) {
if (empty($_POST[AuthController::LOGIN_FORM_USER]) || empty($_POST[AuthController::LOGIN_FORM_PASS])) {
$flash = array();
$flash['class'] = 'danger';
$flash['message'] = 'Please enter a username and password';
} else {
if (!CaptchaController::validate_captcha($_POST[AuthController::LOGIN_FORM_CAPTCHA])) {
$flash = array();
$flash['class'] = 'danger';
$flash['message'] = 'Invalid captcha';
} else {
$user = $_POST[AuthController::LOGIN_FORM_USER];
$pass = $_POST[AuthController::LOGIN_FORM_PASS];
//authenticate
if (AuthController::is_authenticated($user, $pass)) {
//save in session
AuthController::save_auth($user);
//redirect
$redirect_url = !empty($_SESSION[AuthController::SESSION_REDIRECT_URL_KEY]) ? $_SESSION[AuthController::SESSION_REDIRECT_URL_KEY] : AuthController::LOGGED_IN_HOME_URL;
http_response_code(302);
header('Location: ' . $redirect_url);
die;
} else {
//randomize sleep to timing string length attacks
usleep(rand(AuthController::LOGIN_FAILED_TIMEOUT_MIN, AuthController::LOGIN_FAILED_TIMEOUT_MAX));
$flash = array();
$flash['class'] = 'danger';
$flash['message'] = 'Invalid username or password';
}
}
