= $MAX_ATTEMPTS &&
time() - $attempts[$ip]['last'] < $LOCK_TIME
) {
http_response_code(429);
die("Too many attempts. Try again later.");
}
}
/* ---------- LOGIN ---------- */
$error = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!hash_equals($_SESSION['csrf'], $_POST['csrf'] ?? '')) {
http_response_code(400);
die('Invalid request');
}
$username = trim($_POST['username'] ?? '');
$password = $_POST['password'] ?? '';
if (empty($_POST['agree'])) {
$error = 'You must agree to the Privacy Policy and Terms & Conditions.';
echo '';
}
$users = load_json($usersFile);
$valid = isset($users[$username]) &&
password_verify($password, $users[$username]['password']);
if ($valid) {
session_regenerate_id(true);
unset($attempts[$ip]);
save_json($attemptsFile, $attempts);
$_SESSION['user'] = $username;
header('Location: index.php');
exit;
}
// Failed login
$attempts[$ip]['count'] = ($attempts[$ip]['count'] ?? 0) + 1;
$attempts[$ip]['last'] = time();
save_json($attemptsFile, $attempts);
$error = 'Invalid username or password';
}
?>
URMIC powred by Shreebhattji