w34u/ssp

Secure login system for php frameworks, applications and sites

v3.1.1 2017-06-06 16:51 UTC

README

Secure login system for php frameworks, applications and sites

These set of php routines are designed to allow php developers to easily secure a site or an application.

Based on the ideas and information written about in [Innocent Code] (http:///www.amazon.co.uk/Innocent-Code-Security-Wake-up-Programmers/dp/0470857447/ref=sr_1_1?ie=UTF8&s=books&qid=1266594625&sr=1-1) by the security consultant [Sverre H. Huseby] (http://shh.thathost.com/) the code attempts to make the site resilient against most forms of attack.

Installation

composer require w34u/ssp

  1. Move vendor/w34u/ssp/cfg to version controlled part of your project, preferably outside the browser viewable part of your project.

  2. Rename vendor/w34u/ssp/cfg/Configuration.change.php to Configuration.php and assign values to all the properties to do the database connection and secure your site.

  3. Add "autoload": { "psr-4": { "w34u\\ssp\\": "cfg/" } }, to composer.json so that the configurations load and then run 'composer dumpautoload' to refresh the loader.

  4. Move vendor/w34u/ssp/cfg/sspadmin to a browser viewable area and ensure sspadmin/includeheader.php requires the composer autoloader in vendor.

  5. Point your favourite browser at sspadmin/setup and follow the instructions to create the database and your first admin login.

[Originally hosted on source forge for old versions] (https://sourceforge.net/projects/ssprotection/)

System requirements

PHP >= 5.5 and up.

adodb/adodb-php >= 5.0

mbstring

mcrypt

Attacks hardened against are:

  • Sql injection.
  • Invalid character injection in forms.
  • Javascript injection in forms.
  • Sesson theft.
  • Session takeover.
  • One forms out put being used into another.
  • Designed to be used with ssl thus helping to prevent man in the middle type attacks.

Facilities provided by this set of libraries and routines:

  • Basic joinup routine.
  • Password recovery.
  • User admin.
  • User self admin.
  • Fully templated using fast simple template class.
  • Powerful (and paranoid) form building class.
  • Data checking class.
  • Useful lister and html menu list generation classes
  • Works with php 5.0 upwards
  • Uses database abstraction to work with most databases, has been used with MySql, Access and MS Sql Server.
  • Multi lingual capability with browser language checking.

Highly configurable session, login and debug:

  • Http or Https.
  • Variable number of actals for ip checking.
  • Fully configurable on types of checks to be done.
  • Login by email or username.
  • Extend the login for other user inputs.
  • Error output either to screen or log file for live sites.