Changeset 833004
- Timestamp:
- 01/04/2014 08:30:38 PM (12 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
google-authenticator/trunk/google-authenticator.php
r830737 r833004 5 5 Description: Two-Factor Authentication for WordPress using the Android/iPhone/Blackberry app as One Time Password generator. 6 6 Author: Henrik Schack 7 Version: 0.4 57 Version: 0.46 8 8 Author URI: http://henrik.schack.dk/ 9 9 Compatibility: WordPress 3.8 … … 79 79 * Check the verification code entered by the user. 80 80 */ 81 function verify( $secretkey, $thistry, $relaxedmode ) {81 function verify( $secretkey, $thistry, $relaxedmode, $lasttimeslot ) { 82 82 83 83 // Did the user enter 6 digits ? … … 118 118 $value = $value % 1000000; 119 119 if ( $value === $thistry ) { 120 return true; 120 // Check for replay (Man-in-the-middle) attack 121 if ( $lasttimeslot >= ($tm+$i) ) { 122 return false; 123 } 124 // Return timeslot in which login happened. 125 return $tm+$i; 121 126 } 122 127 } … … 189 194 $otp = ''; 190 195 } 196 // When was the last successful login performed ? 197 $lasttimeslot = trim( get_user_option( 'googleauthenticator_lasttimeslot', $user->ID ) ); 191 198 // Valid code ? 192 if ( $this->verify( $GA_secret, $otp, $GA_relaxedmode ) ) { 199 if ( $timeslot=$this->verify( $GA_secret, $otp, $GA_relaxedmode, $lasttimeslot ) ) { 200 // Store the timeslot in which login was successful. 201 update_user_option( $user->ID, 'googleauthenticator_lasttimeslot', $timeslot, true ); 193 202 return $userstate; 194 203 } else { … … 211 220 } 212 221 } 213 } 222 } 214 223 // Google Authenticator isn't enabled for this account, 215 224 // just resume normal authentication. … … 330 339 jQuery('#GA_QR_INFO').show('slow'); 331 340 }); 332 }); 333 341 }); 342 334 343 jQuery('#GA_description').bind('focus blur change keyup', function() { 335 344 chl=escape("otpauth://totp/"+jQuery('#GA_description').val()+"?secret="+jQuery('#GA_secret').val());
Note: See TracChangeset
for help on using the changeset viewer.