[si77]

I have a protected webpage that sits behind a simple PHP script. The main purpose of the script is to allow people who know the password access to the protected page. The script also has a few extras, one including sending a mail to me, if someone enters an incorrect password.

The problem I have is when an incorrect password is entered, I get mailed twice, when I was expecting only to be mailed once.

Please can someone point out where the script is falling down?

Many thanks!

The script is called 'pass.php and below is the contents:
<?

session_start();

//--------------------------
// user definable variables:
//--------------------------

// maximum number of seconds user can remain idle without having to re-login:
// use a value of zero for no timeout
$max_session_time = 0;

// type of alert to give on incorrect password:
$alert = "si77@email.com";
// $alert = "";

// acceptable passwords:
// $cmp_pass = Array();
// $cmp_pass[] = md5("default");
$cmp_pass[] = md5("password");

// maximum number of bad logins before user locked out
// use a value of zero for no hammering protection
$max_attempts = 2;

// url to go to if ok
$formurl = "http://www.website.com/protectpage.html" ;

//-----------------------------
// end user definable variables
//-----------------------------


// save session expiry time for later comparision
$session_expires = $_SESSION['mpass_session_expires'];

// have to do this otherwise max_attempts is actually one less than what you specify.
$max_attempts++;

if(!empty($_POST['mpass_pass']))
{
// store md5'ed password
$_SESSION['mpass_pass'] = md5($_POST['mpass_pass']);
}

if(empty($_SESSION['mpass_attempts']))
{
$_SESSION['mpass_attempts'] = 0;
}

// if the session has expired, or the password is incorrect, show login page:
if(($max_session_time>0 && !empty($session_expires) && mktime()>$session_expires) || empty($_SESSION['mpass_pass']) || !in_array($_SESSION['mpass_pass'],$cmp_pass))
{
if(!empty($alert) && !in_array($_SESSION['mpass_pass'],$cmp_pass))
{
// user has submitted incorrect password
// generate alert:

$_SESSION['mpass_attempts']++;

$alert_str = $_SERVER['REMOTE_ADDR']." entered ".htmlspecialchars($_POST['mpass_pass'])." on page ".$_SERVER['PHP_SELF']." on ".date("l dS of F Y h:i:s A")."\r\n";
mail($alert,"Bad password on ".$_SERVER['PHP_SELF'],$alert_str,"From: ".$alert);

}
// if hammering protection is enabled, lock user out if they've reached the maximum
if($max_attempts>1 && $_SESSION['mpass_attempts']>=$max_attempts)
{
exit("Too many login failures.");
}


// clear session expiry time
$_SESSION['mpass_session_expires'] = "";

?>
HTML page with:
<h4>Password</h4>
<form action="pass.php" method="post">
<input type="password" name="mpass_pass">
<input type="submit" value="login">
<?

// and exit
exit();
}

// if they've got this far, they've entered the correct password:

// reset attempts
$_SESSION['mpass_attempts'] = 0;

// update session expiry time
$_SESSION['mpass_session_expires'] = mktime()+$max_session_time;

// end password protection code

header( "Location: $formurl" );

exit;
?>