This web application is the result of an exercise of last year DAW top grade in school C.D.P. Jose Cabrera.
Thank all the developers in the community who contributed in creating this PHP application based on which the project is based: HUGE.
Esta aplicación web es el resultado de un ejercicio del último curso del grado superior DAW, en el instituto C.D.P. José Cabrera.
Agradecer a todos los desarrolladores de la comunidad que aportaron en la creación de esta base de aplicación PHP, sobre la cual se asienta este proyecto: HUGE.
- built with the official PHP password hashing functions, fitting the most modern password hashing/salting web standards
- proper security features, like CSRF blocking (via form tokens), encryption of cookie contents etc.
- users can register, login, logout (with username, email, password)
- password-forget / reset
- remember-me (login via cookie)
- account verification via mail
- captcha
- failed-login-throttling
- user profiles
- account upgrade / downgrade
- simple user types (type 1, type 2, admin)
- supports local avatars and remote Gravatars
- supports native mail and SMTP sending (via PHPMailer and other tools)
- uses PDO for database access for sure, has nice DatabaseFactory (in case your project goes big)
- uses URL rewriting ("beautiful URLs")
- proper split of application and public files (requests only go into /public)
- uses Composer to load external dependencies (PHPMailer, Captcha-Generator, etc.) for sure
- fits PSR-0/1/2/4 coding guidelines
- uses Post-Redirect-Get pattern for nice application flow
- masses of comments
- is actively developed, maintained and bug-fixed
Licensed under MIT. Totally free for private or commercial projects.
Make sure you know the basics of object-oriented programming and MVC, are able to use the command line and have used Composer before. This script is not for beginners.
- PHP 5.5+
- MySQL 5 database (better use versions 5.5+ as very old versions have a PDO injection bug
- installed PHP extensions: pdo, gd, openssl (the install guideline shows how to do)
- installed tools on your server: git, curl, composer (the install guideline shows how to do)
- for professional mail sending: an SMTP account (I use SMTP2GO)
- activated mod_rewrite on your server (the install guideline shows how to do)
Currently there are two types of users: Normal users and admins. There are exactly the same, but...
-
Admin users can delete and suspend other users, they have an additional button "admin" in the navigation. Admin users have a value of
7
inside the database table fielduser_account_type
. They cannot upgrade or downgrade their accounts (as this wouldn't make sense). -
Normal users don't have admin features for sure. But they can upgrade and downgrade their accounts (try it out via /login/changeUserRole), which is basically a super-simple implementation of the basic-user / premium-user concept. Normal users have a value of
1
or2
inside the database table fielduser_account_type
. By default all new registered users are normal users with user role 1 for sure.
See the "Testing with demo users" section of this readme for more info.
To prevent CSRF attacks, HUGE does this in the most common way, by using a security token when the user submits critical forms. This means: When PHP renders a form for the user, the application puts a "random string" inside the form (as a hidden input field), generated via Csrf::makeToken() (application/core/Csrf.php), which also saves this token to the session. When the form is submitted, the application checks if the POST request contains exactly the form token that is inside the session.
This CSRF prevention feature is currently implemented on the login form process (see application/view/login/index.php) and user name change form process (see application/view/login/editUsername.php), most other forms are not security- critical and should stay as simple as possible.
A big thanks to OmarElGabry for implementing this!
- How to use PDO
- A short guideline on how to use the PHP 5.5 password hashing functions and its PHP 5.3 & 5.4 implementations
- How to setup latest version of PHP 5.5 on Ubuntu 12.04 LTS
- How to setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1 (and how to fix the GPG key error)
- Notes on password & hashing salting in upcoming PHP versions (PHP 5.5.x & 5.6 etc.)
- Some basic "benchmarks" of all PHP hash/salt algorithms
- How to prevent PHP sessions being shared between different apache vhosts / different applications
- interesting article about password resets (by Troy Hunt, security expert)
- Password-Free Email Logins: Ticket & discussion, article
- Logging in via QR code: Ticket & discussion, english article, german article, repo, live-demo. Big thanks to PHPGangsta for writing this!