Session vs global/db-backed attempts

helmo · helmo · commit 4646aba11cae · 2022-03-11T22:12:56.000+01:00
diff --git a/interface/web/login/otp.php b/interface/web/login/otp.php
@@ -125,7 +125,7 @@ function finish_2fa_success($msg = '') {
 			finish_2fa_success();
 		} else {
 			//* 2fa wrong code
-			$_SESSION['otp']['session_attempts']++; // FIXME can't we skip this and rely on the DB only?
+			$_SESSION['otp']['session_attempts']++;
 			$app->db->query('UPDATE `sys_user` SET otp_attempts=otp_attempts + 1 WHERE userid = ?', $_SESSION['s_pending']['user']['userid']);
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,7 @@ function finish_2fa_success($msg = '') {`
`125`	`125`	`finish_2fa_success();`
`126`	`126`	`} else {`
`127`	`127`	`//* 2fa wrong code`
`128`		`- $_SESSION['otp']['session_attempts']++; // FIXME can't we skip this and rely on the DB only?`
	`128`	`+ $_SESSION['otp']['session_attempts']++;`
`129`	`129`	$app->db->query('UPDATE `sys_user` SET otp_attempts=otp_attempts + 1 WHERE userid = ?', $_SESSION['s_pending']['user']['userid']);
`130`	`130`	`}`
`131`	`131`	`}`