/** * Checks whether the user submitted a correct POST authentication code and sets a new code when authentication succeeded or too many attempts have been done. * * Using this method instead of checking it yourself. This to ensure the * following: * - Enforce a consistent API (always the same POST field: POST_auth_code) * - Refresh the code after a successful check * - Refresh the code after five failed attempts * * @see getPostAuthCode() * @api * @return boolean True of the code was correct, false otherwise */ public function checkPostAuthCode() { $postField = 'POST_auth_code'; // The key of the $_SESSION array field with the number of failed attempts to check a POST authentication code $postAuthAttempts = 'POST_auth_attempts'; BeeHub::startSession(); if (!isset($_SESSION[$postAuthAttempts])) { $_SESSION[$postAuthAttempts] = 0; } if (!isset($_POST[$postField]) || empty($_POST[$postField]) || $_POST[$postField] !== $this->getPostAuthCode()) { $_SESSION[$postAuthAttempts]++; if ($_SESSION[$postAuthAttempts] >= 500) { // After 500 failed attempts, we unset the key, so a new one should be generated. This is to prevent brute force attempts. unset($_SESSION[self::$SESSION_KEY]); $_SESSION[$postAuthAttempts] = 0; } return false; } $_SESSION[$postAuthAttempts] = 0; return true; }