Phplogin

Feature

• Add support for authenticated user accounts to any PHP application!
• User registration.
• User login.
• User logout.
• Both sessions and cookie-based authentication are supported.
• Passwords and session ID's are securely encrypted.
• Supports multiple encryption algorithms: md5, sha1, sha256, and sha512.
• Multiple database types are supported: mysql, mysqli, mssql, and pgsql.
• All queries use prepared statements (unless not supported by the database extension you're using) for added security against SQL injection attacks.
• The code is object-oriented and modular, designed to easily "plug in" to any existing PHP application you're using or building.
• Users' IP addresses are logged (but not publicly viewable) for added security.
• Support for optionally requiring email confirmation of new user accounts before they can login.
• Registration ensures a valid email address is used and blocks deceptive/malicious usernames (like "root" and "administrator") from being registered at the user-level.
• Different account "groups" or types can be created if you want your site to have tiered permissions (i.e. admins, moderators, regular users, newbies, etc). The first account created (by you) is automatically the "superuser" admin account and cannot be deleted or restricted.
• Troublesome users (and, if you wish, their IP addresses) can be banned.
• All logins (including superuser and admins) go through the same login page for your convenience.
• You can do a "circle check" on a user account or IP address. This is an admin feature that recursively scans the database for all other user accounts that were logged-in using that IP address, then it does the same for all the IP addresses associated with those accounts, etc. This is a "hatchet" maneuver that you can use to identify and ban conceivably thousands of accounts belonging to a single spammer in a matter of seconds.
• Automated password reset via email. The user must click a link provided in the reset email as a security measure.
• A toggleable option that, if enabled, allows users to enter their email address instead of username on the login form. It's slightly less secure but far more convenient for the end-user, so you can choose which is best for your site's needs.
• Users can change their own passwords.
• If you change the encryption algorithm used, older passwords in the database remain valid and unaffected.
• For security reasons, phpLogin does NOT use "secret questions." After all, the most secure password in the world is useless if all a person has to do is answer, "Where did you go to highschool?" to get around it.
• Numerous failed login attempts in a short period of time automatically triggers a temporary login ban to prevent BFG attacks.
• Optionally uses phpMeow (my rendition of Oli's "KittenAuth" concept) image verification on registration and multiple login attempts to deter spambots.
Download this project