w34u/ssp

Secure login system for php frameworks, applications and sites


README

Secure login system for php frameworks, applications and sites

These set of php routines are designed to allow php developers to easily secure a site or an application.

Based on the ideas and information written about in [Innocent Code] (http:///www.amazon.co.uk/Innocent-Code-Security-Wake-up-Programmers/dp/0470857447/ref=sr_1_1?ie=UTF8&s=books&qid=1266594625&sr=1-1) by the security consultant [Sverre H. Huseby] (http://shh.thathost.com/) the code attempts to make the site resilient against most forms of attack.

Installation

composer require w34u/ssp

  1. Move vendor/w34u/ssp/cfg to version controlled part of your project, preferably outside the browser viewable part of your project.

  2. Rename vendor/w34u/ssp/cfg/Configuration.change.php to Configuration.php and assign values to all the properties to do the database connection and secure your site.

  3. Add "autoload": { "psr-4": { "w34u\\ssp\\": "cfg/" } }, to composer.json so that the configurations load and then run 'composer dumpautoload' to refresh the loader.

  4. Move vendor/w34u/ssp/cfg/sspadmin to a browser viewable area and ensure sspadmin/includeheader.php requires the composer autoloader in vendor.

  5. Point your favourite browser at sspadmin/setup and follow the instructions to create the database and your first admin login.

[Originally hosted on source forge for old versions] (https://sourceforge.net/projects/ssprotection/)

System requirements

PHP >= 5.5 and up.

adodb/adodb-php >= 5.0

mbstring

mcrypt

Attacks hardened against are:

  • Sql injection.
  • Invalid character injection in forms.
  • Javascript injection in forms.
  • Sesson theft.
  • Session takeover.
  • One forms out put being used into another.
  • Designed to be used with ssl thus helping to prevent man in the middle type attacks.

Facilities provided by this set of libraries and routines:

  • Basic joinup routine.
  • Password recovery.
  • User admin.
  • User self admin.
  • Fully templated using fast simple template class.
  • Powerful (and paranoid) form building class.
  • Data checking class.
  • Useful lister and html menu list generation classes
  • Works with php 5.0 upwards
  • Uses database abstraction to work with most databases, has been used with MySql, Access and MS Sql Server.
  • Multi lingual capability with browser language checking.

Highly configurable session, login and debug:

  • Http or Https.
  • Variable number of actals for ip checking.
  • Fully configurable on types of checks to be done.
  • Login by email or username.
  • Extend the login for other user inputs.
  • Error output either to screen or log file for live sites.