"Biltmore can't log in," David's boss said in a panic, "you need to fix this. Now!"

It was the perfect way to start a Monday morning. When Biltmore couldn't log in, that meant that Biltmore couldn't get Biltmore's executive reports. And that meant that the entire company would grind to a halt and focus entirely on getting Biltmore's reports.

Grudgingly, David called up Biltmore. And as expected, Biltmore wasn't happy. "It keeps asking for my bloody PIN number," Biltmore cursed, "Why do I have to keep typing in my bloody PIN number? I need my reports!"

For some reason - perhaps the original developer's insanity, or perhaps Biltmore's - the executive reporting system authenticated users with a four-digit PIN number. David selected his own name from the list and typed in his PIN number: 7734. And the system worked like a charm. Well, as charming as a rickety, old PHP-based reporting can be.

No one had touched the code in ages, so David assumed the problem was with Biltmore's browser. Perhaps it was overflowing temp files? Or security settings? Disabled cookies? Corrupt files? David tried it all to no avail. And each step of the way, Biltmore became more and more aggravated.

"Where are my reports!?" Biltmore insisted, "I need them now!"

On a whim, David asked Biltmore for his PIN number. "Hmphf," Biltmore scoffed, "I just changed it, and now I'll have to change it again! My bloody PIN number is 0010!"

And then it hit him. David made a new account, set the PIN number to be "0010," and logged in. He clicked through the site for exactly ten seconds. And then he was kicked off. It asked him for his PIN again.

Confirming his suspicion, he jumped into the logon code...

$_SESSION['TIMEOUT'] = $this->getTimeOut();

Digging a bit further, David looked for getTimeOut...

function getTimeOut()
{
    return $_POST['pin_number'];
}

Fearing that he'd break the old PHP system, David reset Biltmore's PIN number to 1337 and cautioned Biltmore about changing it to anything "less than" 1000 again.