Welcome to PLM – the multilingual PHP Login-Module

Author: Tim Reeves, Current version: 3.0.0 (8. Oct. 2011)

This is a "live demo" – you are welcome to register and discover the power of PLM for yourself, see also note (2) below.

This module can be included in a PHP-Website to offer user registration and login, whereby the possibilities of a logged-in user are governed by a system of max. 31 system privileges and 31 opt-in groups (configurable, with associated read and write privileges). The "groups" are managed in the "edit account" module, govern up- and download possibilites in the repository browser, and can be used as selection criteria in user management (for example, for a mass mailing to a group or groups). Beyond that they can be accessed for your own purposes.

It stores its data in a DB, which it accesses through the Database Abstraction Layer. DAL currently allows completely transparent access to the Databases MySQL, MSSQL and MS-Access.

The basic login-module code is contained in a sub-directory; this example website also contains pages allowing profile-editing, up- and downloading to private and interest directories, and (for privileged users) user management. For those wishing to add further services to logged-in users it exports a range of values to the Superglobal $_SESSION.

The module offers two radically different approaches to user registration:

• A "Quick registration" offered by extending the login dialog "in situ" to include a minimum of critical fields.
• A "Full registration" which uses an own web page. This is highly configurable, using an own form generator and parser,
  so that the administrator can easily add, remove or regroup fields.

The configuration allows you to specify zero registration methods (temporarily disallow registration), either one, or both
(the latter works fine but is confusing for the user).

It also offers two different types of Login-ID:

• A "User Name" – nickname, Login-ID, or however you like to call it.
• The Email Address of the user.

The configuration allows you to specify zero login methods (disallow login), either one, or both
(the latter works fine and allows maximum flexibility for the user).

The module (incl. example pages) - about 16000 lines of code - offers the following features:

• PHP Session-based
• Data storage in a database
• Suitable for use with and without SSL
• Configurable for use with any character set
  (content and file names, including up- and downloading)
• Uses (almost) no JavaScript (minimal, non-critical)
• Choice of database (through use of PDO - requires PHP5),
  contains in addition an own data abstraction layer above PDO (1)
• MySQL, MSSQL and MS-Access preconfigured in the database abstraction layer
• Barrier free protection of registration and password reminder through use of question and answer method
  (CAPTCHAs can be difficult to read and are not accessible to users with vision impairment)
• Multiple languages – en and de provided, each about 350 messages
  (not including the longer texts on web pages and in emails)
• Manages 14 active System-Privileges per account (max. 31 forseen)
• Includes web page for account management with various features
• Account management access for the Superuser and via Privilege (2)
• Account management includes import and export of CSV-Lists by various criteria
• Account management allows the Superuser to delete multiple accounts
• Function "forAllUsers($func)" makes extension with own features easy
• Includes web page to edit your account (the Superuser can edit any account)
• Includes web page "Forgot your password"
• Includes web page "Delete own account"
• Simple version updates: All your config details in a special directory
• SHA-2 encrypted password storage of "Login-ID + Password". Versions for user name and email login are ALWAYS stored,
  so you can even change the login method in retrospect and it will still work fine.
• Spam protection on field contents (value duplication, mail-header injection, HTML or JavaScript injection,
  bulletin-board style injection) and on form calls (list of allowed referrers)
• Web pages can be located in the main directory or any subdirectory
• Logging of events and spam attacks
  each in separate files (flatfiles, not DB) per calender week (3)

and also the following options (set mainly in the config files):

• Login with Name and / or Email (here via both)
• Registration with Name and / or Email (here with both)
• Registration with/without password-repetition (here with)
• Registration can be allowed or limited to:
  • Any visitor to the website
  • Any user already registered
  • Any user with the corresponding system privilege
  • Only via a Superuser
  Allowed here to any visitor.
• Quick Registration (extended login dialog) and / or Registration page (here via Registration page, which is actually the profile page in registration mode). See above.
• Manages 31 configurable Group-memberships per account (read more below)
• Manages a same-name Privilege for each Group per account
  (the privilege is set by the Superuser; read more below)
• Allows each user to have a private directory
  (either same name as login-id or value in extra DB-field)
• Includes web page for Up- and Downloading to private directories and/or group directories
• Up to 31 opt-in groups are configurable, i.e. whether to show them and when yes with which name. Any logged in user can, in her profile, opt in to any interest group for which she has the read privilege, for example to receive topic-specific newsletters or to allow downloading topic-specific documents (both already implemented). If she does not have the read privilege for a group, she can apply for it. The login module exports bitmap integers of the users interests and privileges – on which basis you can programm your own extensions to the features already provided.
• User group privileges match user groups 1:1 and can only be granted by the Superuser. The up- and download dialog understands the read privileges as View and Download, the write privileges as Upload and Delete privileges for the respective interest group [directory] – effectively defining a group manager. Account management, if accessible to a user, can be configured to display only users whose interests match their own interest privileges. Such a user could then perform CSV-Exports (for newsletters) for "her" group(s), without being able to see any users not belonging to the group(s).
• Double-Opt-In method (via Email to the user) (here selected). Otherwise a successful registration is immediately logged on.
• Limit on the max. no. of Login- + Register-Attempts per Session (here 4)
• Limit on the max. no. of failed consecutive login attempts per account (here 6)
• Autolock of the User-ID when this no. of bad attempts is reached (here yes)
• Extra field with a meaning of your choice (here 'How you found us')
• Automatic Email notification to Admin on important events (here yes)
• Configurable standard email recipients (for all automatic mails) and email footer text (per language)
• Configurable list of allowed referrers for valid form access
• Choice of 3 different mail methods: PHPMailer (Freeware) / PHP mail() / Pipe to mailer
  (the former also handles attachments)

---

1) The module uses my own PHP class "DAL", Database Abstraction Layer, to access the DB. DAL extends PHP's PDO (which is a data access abstraction layer), providing various character set, query preparation and data formatting services, and hides the differences between MySQL, MSSQL and MS-Access. Extensions to other database types, which should not be too difficult to do, are most welcome!

2) Go on, give it a try: Superuser = "admin" with password "hallo". A user "manny", also with password "hallo",
    is not a Superuser but does have certain system privileges, to help you see how it works.
    Please don't delete any accounts which you did not create yourself.

3) Appropriate for mailing at the change of week via Cron-Job (to do)

Pages whose text consists only of Multilanguage-Messages can be called with the language as a GET-Parameter and thus need only be present once (here: logout, confirm, reminder, delete, profile, up/download, user management). Pages with more text must either be present once per language or use includes or PHP-Branches. In this module, "de/willkommen.php" is an example of a purely language-specific page.

 
Here are the further Readmes:  login-readme   mysql-readme   privileges-readme   import-export-readme