Hi!
Although you have outlined teh functionality quite well I have some questions. Like:
1) SHould it trigger the "verification timeout" ONLY if the first submission to the other site (CURL) was successful or regardless of teh outcome?
2) On subsequent attempt to submit (trough sevelar initially opened, when it's allowed, forms in multiple browser tabs/windows) should it preserve teh submitted data and load that on the form when it's allowed again, or dismiss everytihng and always load a blank form when allowed?
3) Storing the user quasi-session (IP + timestamp) in a file has one major drawback in comparison with storing into a database, especially with the increase in visits count, teh file will grow larger and larger over time, and because the files are with sequential type of access it will take increasingly more time to find the IP record, if any, in it, not to mention when you have to substitute data in teh middle of it you'll have to go thgough the whole file from beginning to the end reading and subsequently writing. And you'll certainly have visits that ask to to the same in the mean time, so the potential for not being able to verify, due to file locks, or corrupt the file is considerably great.
4) When in "non-allowed" state should it load the form, as well as the message, but in some "disabled to use" state, or just the message?
I think these are enough for now to get a better understanding for the assignemt.
Regards,
Dobri