anti otp phishing

verifyOTP.php

@@ -140,24 +140,31 @@ if ($scDiff == 0) { // Same use session, check time stamp diff
 		sendResp(S_REPLAYED_OTP);
 		exit;
 	} else {
+		updDB($ad['id'], $decoded_token, $client);
 		$tsDelta = $tsDiff * TS_SEC;
-		debug("Timestamp OK (" . $ts . ") delta count=".$tsDiff.
+		debug("Timestamp OK (" . $ts . ") delta count=" . $tsDiff .
-			'-> delta secs='.$tsDelta);
+		'-> delta secs=' . $tsDelta);
 	}
 
-	$lastTime = strtotime($ad['accessed']);
+	//// Check the real time
-	//$lastAccess = $ad['accessed'];
+	//
-	//echo 'Last accessed: '.$lastAccess.' '.date("F j, Y, g:i a", $lastTime)."\n";
+	
-	$elapsed = time() - $lastTime;
+	if ($ad['chk_time']) {
-	debug('Elapsed time from last validation: '.$elapsed.' secs');
+		$lastTime = strtotime($ad['accessed']);
-	$deviation = abs($elapsed - $tsDelta);
+		//$lastAccess = $ad['accessed'];
-	debug("Key time deviation vs. real elapsed time=".$deviation.' secs');
+		//echo 'Last accessed: '.$lastAccess.' '.date("F j, Y, g:i a", $lastTime)."\n";
-	if ($deviation > TS_TOLERANCE * $elapsed) {
+		$elapsed = time() - $lastTime;
-		debug("Is the OTP generated from a real crypto key?");
+		debug('Elapsed time from last validation: ' . $elapsed . ' secs');
-		sendResp(S_SECURITY_ERROR);
+		$deviation = abs($elapsed - $tsDelta);
-		exit;
+		debug("Key time deviation vs. elapsed time=".$deviation.' secs ('.
+			($deviation/$elapsed).'%)');
+		if ($deviation > TS_TOLERANCE * $elapsed) {
+			debug("Is the OTP generated from a real crypto key?");
+			sendResp(S_SECURITY_ERROR);
+			exit;
+		}
 	}
-}
+} // End check time stamp
 
 //// Check the high counter
 //