From 15b2daaf194bf4b87507404679575ba04bf52a3b Mon Sep 17 00:00:00 2001 From: Paul Chen Date: Wed, 3 Dec 2008 18:27:48 +0000 Subject: [PATCH] anti otp phishing --- verifyOTP.php | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/verifyOTP.php b/verifyOTP.php index 0e4482b..ec3fc10 100644 --- a/verifyOTP.php +++ b/verifyOTP.php @@ -140,24 +140,31 @@ if ($scDiff == 0) { // Same use session, check time stamp diff sendResp(S_REPLAYED_OTP); exit; } else { + updDB($ad['id'], $decoded_token, $client); $tsDelta = $tsDiff * TS_SEC; - debug("Timestamp OK (" . $ts . ") delta count=".$tsDiff. - '-> delta secs='.$tsDelta); + debug("Timestamp OK (" . $ts . ") delta count=" . $tsDiff . + '-> delta secs=' . $tsDelta); } - $lastTime = strtotime($ad['accessed']); - //$lastAccess = $ad['accessed']; - //echo 'Last accessed: '.$lastAccess.' '.date("F j, Y, g:i a", $lastTime)."\n"; - $elapsed = time() - $lastTime; - debug('Elapsed time from last validation: '.$elapsed.' secs'); - $deviation = abs($elapsed - $tsDelta); - debug("Key time deviation vs. real elapsed time=".$deviation.' secs'); - if ($deviation > TS_TOLERANCE * $elapsed) { - debug("Is the OTP generated from a real crypto key?"); - sendResp(S_SECURITY_ERROR); - exit; + //// Check the real time + // + + if ($ad['chk_time']) { + $lastTime = strtotime($ad['accessed']); + //$lastAccess = $ad['accessed']; + //echo 'Last accessed: '.$lastAccess.' '.date("F j, Y, g:i a", $lastTime)."\n"; + $elapsed = time() - $lastTime; + debug('Elapsed time from last validation: ' . $elapsed . ' secs'); + $deviation = abs($elapsed - $tsDelta); + debug("Key time deviation vs. elapsed time=".$deviation.' secs ('. + ($deviation/$elapsed).'%)'); + if ($deviation > TS_TOLERANCE * $elapsed) { + debug("Is the OTP generated from a real crypto key?"); + sendResp(S_SECURITY_ERROR); + exit; + } } -} +} // End check time stamp //// Check the high counter //