Script Version
Development Team
Thank you for downloading Advanced Login System
For those who are first time users of this script, ALS (Advanced Login System) basically locks up private web pages which you do not want the general public to access. However, what sets it apart from other similar login scripts is that not only does it has advanced features, such as CAPTCHA images and brute force protection which are more commonly seen in commerical scripts, but also the flexibility of smaller scripts. This combination is what makes Advanced Login System special.
For returning users, who have been with me since the second beta release or even the very first beta release, welcome to the third Beta release, which has completely revolutionised the ALS script. New protection methods, more efficient code and greater flexibility awaits you, on top of an even more stable platform. Special emphasis has been placed on greatly improving the security of the system, and many new security measures are mentioned in the changelog below.
It is also with great pleasure that I announce that this will be the final Beta release. I believe that over the course of 3 years, Advanced Login System has matured enough to be released as a final product. Compared to the very first Beta, or even the second Beta, the third Beta is a remarkable leap in terms of stability, security and pretty much every other aspect. Hence, be prepared to be awed by the new features of the third Beta, the most stable and reliable release yet.
For a full list of new features, please refer to the changelog below.
v0.03B Preview 2
reset.php.get_user_info function that will return the user's data in an array.changepass.php.alslanguages/alslang-english.php). Added language file version check to prevent issues in older systems.session_auto_expire() function to facilitate session expiry. Session Expiry period defined in config.php.lastip() function which will return the value of the IP where the user last logged out.allow_url_fopen setting during installation. Displays a suitable warning message if the setting is turned off.allow_url_fopen disabled.alssystem/functions.php for reusability.stripslashes() and mysql_real_escape_string() added to prevent SQL injectionsmysql_close() function added to pageschangepass.phpv0.03B Preview
v0.02B
Minimum Requirements
Installation Instructions
login.php file on your server. Eg. http://www.example.com/privatearea/login.phpinstall folder from the folder alssystemUpgrade
Right now, the installer function does not provide any upgrade function, but you should be able to use the installer to upgrade your Second Beta and your third Beta Preview without any major issues. This is because the database design has not been changed since v0.03 Beta Preview, where I added a new database table, which can be installed on top of the second beta by using the provided installer. However, the upgrade function is not officially supported.
$mysql_username - Simple. Your MySQL database username$mysql_password - Simple as well. Your MySQL database password$mysql_dbname - The name of the database that you are going to install ALS on$mysql_host - Your database host. Most likely localhost unless you are using some external host.$mysql_pretext - The prefix before your table name. Ensures no conflicting table names with any currently installed ALS systems$allow_guest_to_register = (TRUE/FALSE) - Set to TRUE if you want anyone to be able to register at your site. Set to FALSE if you want to add users manually yourself. (Can be done by accessing register.php and entering your MySQL username and password)$need_to_validate_acct = (TRUE/FALSE) - Set to TRUE if you want users to validate their email first before allowing them to login. I would suggest you set it to FALSE if your server does not allow the mail() function.$display_bot_image = (TRUE/FALSE) - Setting it to TRUE will make the user enter an randomly generated CAPTCHA number during registration. This help protect your server against spam registrations by bots. Set it to FALSE if you don't have the GD library installed on your server. (i.e. You cannot see the image)$display_bot_image_login = (TRUE/FALSE) - Setting this to TRUE will display a CAPTCHA image during login which the user will have to enter. This help prevent bots attempting to brute force their way into the system. Again, set it to FALSE if you don't have the GD library installed on your server. (i.e. You cannot see the image)$admin_email = (youremail@provider.com) - Self-explanatory. Your email address.$redirectpage = (page.php) - Page for users to be redirected to if they login from login.php. (If users login from another page, they will be redirected to the page they logged in from.) $prunetime = (180) - Number of minutes to keep the login attempts in the database. The longer the attempts are kept, the larger your database file will be. However, setting it to a value below 15 will render ALS's in-built brute force protection useless.$session_key = (key)/FALSE - Any random string of characters to generate an encryption key for use in session encoding. You are strongly encouraged to change this from the default value. Set to FALSE if you do not wish to use this feature.$session_expiry = (0)/FALSE - The number of minutes before the session will expire after a user logs into the system. Set to 0 to disable this feature.$captcha_expire = (60) - The number of seconds before the CAPTCHA image will expire starting from the time it was generated. Set to 0 to disable this feature.$minpasslen = (0) - The minimum number of characters a password must have. Set to 0 to disable this feature.$theme = (theme name) - The name of your theme file. Should be the folder name of the theme. Theme folders are supposed to be placed in alssystem/themes. For more details, read the themes section below.$language = (language name) - The name of your language file. For more details, read the languages section below.$development = (TRUE/FALSE) - Setting it to TRUE will turn on development mode.To read more about development mode, read the development section. You are advised to set it to FALSE if you are running the script on a public server.$updatechecking = (TRUE/FALSE) - Setting it to FALSE will turn off update checking. To prevent bug exploits, you are strongly recommended to set it to TRUE
How to protect your pages
Place the following chunk of code at the beginning of the page you want to protect:
<?php
session_start();
ob_start();
include ("als.php");
ob_end_flush();
?>Note that the page you want to protect must have a .php file extension or any other extension that your server will parse as PHP code.
Logout/Change Password
login.php?logout=1. Alternatively, you could create another page that incorporates the logout() function provided. (Read the Developer Section below)changepass.phpDisabled Public Registration
To disable registration by the public, you need to turn the $allow_guest_to_register setting in config.php to FALSE.
Even with disabled public registration, you can add users by accessing register.php and logging in with your MySQL username and password. Once logged in, you can add users by filling out the registration form.
Updating the script
To automatically check for updates, you need to set the $updatechecking variable to TRUE and ensure that the allow_url_fopen setting in php.ini is turned on. (Ask your server administrator about this). During installation, if the script detects that the setting is turned off, it would display a warning message. You are then recommended to check my website for updates regularly.
There are 2 types of updates - Critical and Non-Critical. Critical updates are usually security patches or version upgrades and you are recommended to update your system immediately. In the case of a critical update, the script will be terminated from running to protect any sensitive data. Non-critical updates are usually reserved for bug fixes that are not related to the integrity of the system. While the script will still run as per normal, you are advised to patch your system immediately.
All parts of this script are copyrighted to Wu Xiao Tian and iQuest Studios. No redistribution, copying or another form of tranmission, via electronic or non-electronic means, of any part of the code in this script is allowed, unless with written permission from the script author (Wu Xiao Tian).
Terms of UseBy downloading the script from the iQuest Studios server, you agree to the following terms of usage.
YOU ARE NOT ALLOWED TO REDISTRIBUTE ANY PART OF THE SOURCE CODE NOR ARE YOU ALLOWED TO REMOVE THE COPYRIGHT FROM ANY OF THE FILES IN ADVANCED LOGIN SYSTEM OR EDIT IT IN ANY WAY THAT CHANGES ITS ORIGINAL MEANING. THE COPYRIGHT MUST BE DISPLAYED CLEARLY ON ALL THE PAGES AT ALL TIMES.
DisclaimerAlthough this script has been tested extensively, there may be security bugs and system instability in the script. Hence, by downloading this script, you agree to use the script at your own risk. iQuest Studios and the script author will NOT be held responsible for any loss in any form arising from the use of this script.
Due to past violation of copyright incidents, I have decided to encode the script so as to make it more difficult to remove the copyright. However, if your server does not have Zend Optimizer installed, or you cannot run the script for some reason, or you simply want to take a look into the source code, you can purchase the unencoded version for USD$20 (payment via Paypal only). For this amount, you will also recieve unencoded updates to the script version you purchased. Upon receipt of your payment, I will email you the unencoded version as soon as possible. However, please note that:
update.php will not be released as it may cause a security breech on the update server.If you like my work and would like to show support for my effort, you are more than welcome to donate to me. These donations will help with my economic burden and let me spend more time developing free scripts for everyone. Click the button below to donate:
To allow for much easier design customization and integration, I have added a themes feature to ALS in this version. ALS themes allows you to integrate the login system into any existing site design with just some simple tweaking of CSS stylesheets. ALS themes are also designed to work with the new Integrated Contact Form (v0.06B and above), which I am still working on now, so it will be really easy to integrate both scripts into your current site design.
Creating your theme isn't hard at all, as long as you have some basic CSS knowledge. You can take a look at the included themes to understand which class is which, and then you should be pretty much ready to create your own theme for ALS. You can also read this guide to get some basic idea of themes, and get started from there.
A theme consists of a folder, which is placed in alssystem/themes. The folder name should be the theme name, which will be the value you set for the $theme variable in config.php. The theme name should not have any spaces, and special characters should be avoided, due to the way different browsers interpret the CSS stylesheet linking code. Inside the theme folder, you should have a CSS file named alsstyle-theme.css where theme is the theme name. So for example, we got a theme named "redblack", then there should be a folder called redblack in the alssystem/themes folder. Inside the redblack folder, there should be a file named alsstyle-redblack.css. Simple right?
Well, another cool thing about themes is that you can add custom images to various pages, (eg. the login page and the registration page.) To add images to your theme, place a images folder inside your theme folder, and place the images inside that folder. However, a few rules is that the image name must be equal to the file name. (eg. the image to be displayed on the login page [login.php] has to be named login.png). Also, the image MUST be a png file. Also note that the image will always be aligned to the right of the table.
Theme customization/creation is mainly about the tweaking of the CSS values of the various classes defined in the login system by me. Hence, a simple change in say the value of the background color can produce a very different feel. This section aims to get you familiarized with the various CSS classes in the script.
a - All links will be formatted with these attributes. a:visited,a:hover etc. work as per normal.body - Used to define the background color or background image.p - Default style for displaying error messages..text - Default style for displayed text..heading - Style for the heading..maintable - Style for the entire table. Use this to define the width, height etc. attributes of the table. Do NOT define any text attributes here. (eg. font-family,font-size etc.). Define them under .text.tableheading - Style for the table header. Do NOT define any text attributes here. (eg. font-family,font-size etc.). Define them under .heading.contenttable - Style for the table row which will contain all the form elements. Use this to define the background color etc. Do NOT define any text attributes here. (eg. font-family,font-size etc.). Define them under .text.footlinks - Style for the links to registration and password reset pages at the bottom of the login page.input - Style for all the form elements in the system.
To quickly switch themes without editing config.php in development mode, just add a ?settheme=theme to the end of the URL, where theme is the theme name.
Note that this is the first version of ALS featuring themes support, so it may not be flexible enough to fully customize the layout of the page. However, this is something I am working on and I would value all feedback from developers.
If you have any queries, feel free to contact me.
This is the first version of Advanced Login System that has support for different languages. Due to rising popularity of this script, I have decided to include language files in this version, so as to cater to those who are non-English speakers or non-native English speakers in the international community. Hence, these users can now use ALS in their own native languages without having to open up the login files and trying to figure which parts of the code to edit. Even for native English speakers, you can use the language files to customize text on the script without having to edit the files manually.
Language file names should come in the format of alslang-language.php where language is the name of the language. All languages files should also be placed in the alssystem/languages subfolder.
Creating a language file is easy. You can easily start off by looking into the english language file. All of the text are defined as constants, in the form of define ("CONSTANTNAME","Text to be displayed");. This guide will serve to familiarize you with the various constants I have used.
For the login page [login.php], we have:
LOGINTITLE - The HTML title for the login pageLOGINHEADER - The text displayed in the header row of the table.LOGINTEXT - The text displayed above the login form.USERNAME - The username field descriptor. Used across all forms.PASSWORD - The password field descriptor. Used across all forms.IMGVALIDATION - The CAPTCHA field descriptor. Used across all forms.REFRESHMSG - The link to refresh the CAPTCHA image. Surround the text you want to use as a link with % tags. (eg. %refresh%)RMBPASS - The remember password field descriptor.SECURITYMSG - The text to display in an alert when the user click on the Remember Password checkboxLOGINBUT - The text in the value attribute of the form submit button on the login page.REGLINK - The text containing the link to the registration form.RSTLINK - The text containing the link to the reset password page.For the various messages that will be displayed after the form is processed [login.php], we have:
CAPTCHAEXPIRE - Text to display when the CAPTCHA code has expired after the set time in config.phpWRONGIMG - Wrong CAPTCHA code.TRIESLEFT - Tries left textWRONGACCT - Text to display when the username and password combination is wrong.EXCEEDTRIES - Text to display after the user failed to login after 3 tries.RETRY - Link to allow the user to retry. Used across the system.When the user logouts
SESSIONEXPIRE - Text to display after the user's session expired after a set amount of time (defined in config.php).LOGOUT - Message to be displayed upon successful logout.CONT - Link to continue to the previous page or $redirectpage as defined in config.php. This is used across the system.For the registration page [register.php], we have:
REGISTERTITLE - The HTML title for the registration page.REGISTERHEADER - The text displayed in the header row of the registration table.REGISTERTEXT - The text displayed above the registration form.CONPASS - The confirm password field descriptor. THe username and password field descriptors are defined above. Used across all forms.EMAIL - The email address field descriptor. Used across all forms.REGISTERBUT - The text in the value attribute of the form submit button on the registration page.EXITBUT - The text in the value attribute of the button to go back to the login page. Used across all forms.For the account activation page [register.php?activate=1]:
ACTTITLE - The HTML title for the activation page.ACTHEADER - The text displayed in the header row of the activation table.ACTMSG - The text displayed above the activation form.ACTKEY - The activation key field descriptor.ACTBUT - The text in the value attribute of the form submit button on the activation page.For the various messages that will be displayed after the registration form has been processed [register.php]:
TAKENUSER - Text to display when the username has already been taken.NOUSERNAME - Text to display when no username was entered.CONPASSNPASS - Text to display when the password or the confirm password field was left empty.NOEMAIL - Text to display when no email address was entered.EMAILINDB - Text to display when the system detects that the email address already exists in the database.INVALEMAIL - Text to display when the submitted email address fails the email validation check.PASSNOMATCH - Text to display when the password field does not match the confirm password field.REGISTEROKREQEMAIL - Text to display when the registration is OK and the user is now required to activate his account.REGISTEROK - Text to display when the registration is OK. (For sites with email activation turned off)REGISTERMAILPROB - Text to display upon successful registration but failure to send activation email.EMAILTITLE - The subject of the activation email.EMAILMSG - The actual email message. Use the %ACTIVATIONURL% tag to denote where to place the activation URL, %SCRIPTURL% to denote the path to the manual activation file and %ACTIVATIONKEY% tag to denote the activation key.For the messages that will be displayed upon activation:
NOACTIVATE - Text to display when the activation procedure has failed.ACTIVATEDONE - Text to display upon successful activation.For closed registration forms:
NOREGISTERMSG - Text to display informing visitors that public registration has been disabled.ADMINLOGINHEADER - The text displayed in the header row of the admin login table.ADMINLOGOUT - Link to log out of admin account.ADMINLOGGEDOUT - Text displayed when logged out of admin account.For the password reset page [reset.php], we have:
RESETTITLE - The HTML title for the password reset page.RESETHEADER - The text displayed in the header row of the reset password table.RESETTEXT - The text displayed above the reset password form.ENTERPIN - The link to the PIN entry form.RESETBUT - The text in the value attribute of the form submit button on the reset password page.For the PIN entry form [reset.php?enterpin=1]:
PINENTERTITLE - The text displayed in the header row of the PIN entry table.PINSENT - The text above the PIN entry form.RESETPASSBUT - The text in the value attribute for the button to reset the password.For the various messages generated by the reset password script:
WRONGRESET - Text displayed when there is no matching email/username combination in the database.PINMAILPROBLEM - Message displayed when there is a problem sending the reset email from the server.WRONGPIN - Text displayed when a wrong PIN was entered.RESETEMAILTITLE - The subject line of the reset password email.RESETEMAIL - The reset password email message. Use the %PIN% tag to denote the insertion point for the PIN.RESETPASSNOMATCH - Text displayed when the password and the confirm password fields in the reset password form don't match.For the change password page [changepass.php], we have:
CHANGEPASSTITLE - The HTML title for the change password page.CHANGEPASSHEADER - The text displayed in the header row of the change password table.CHANGEPASSTEXT - The text above the change password form.CURRENTPASS - The current password field descriptor.NEWPASS - The new password field descriptor.CONNEWPASS - The confirm new password field descriptor.CHANGEPASSBUT - The text in the value attribute of the form submit button on the change password page.And for the various messages displayed after processing:
NOCURRENTPASS - Text displayed when nothing was entered in the current password field.NONEWPASS - Text displayed if the new password or the confirm new password field is left blank.NEWPASSNOMATCH - Text displayed if the value entered in the new password field does not match the value in the confirm new password field.WRONGOLDPASS - Text displayed if the value entered in the current password field is not the correct password.PASSCHANGED - Text displayed upon successful change of passwords.
Note that those constants documented here are subject to change across different versions. As such, you are required to define the minimum compatible version in the language file as well. This is done by writing $requiredver = "build number"; at the beginning of the file. For files following this document, the build number should be 20081126.
If you have any queries or feedback, feel free to contact me.
The development mode was first introduced in v0.03B Preview 1 to facilitate testing during the coding process. From there, I have expanded the development mode so that all developers can make use of the features while developing for ALS, be it themes, language files or modules (which will be introduced in the next version). To enable development mode, you need to set the $development setting under config.php to TRUE. However, note that in development mode, many security features are turned off, and hence, you are strongly discouraged from running development mode on a public server.
Besides the development mode, this section will also cover some of the other functions that I have created that you can use in your own ALS-protected website.
In development mode, you can enable certain features by passing certain parameters through the URL like this: http://www.mysite.com/als/login.php?parameter. Below details some of the parameters that are made available in the development mode. Many of the script's processes are also displayed as HTML comments viewable in the source code.
Debugging
In development mode, you can easily identify the sources of error and submit a support request through my site. When development mode is enabled, all MySQL queries executed will be displayed as HTML comments, which is viewable in the source code. This is very helpful for identifying the query that is causing any problems. However, this may pose a security risk as malicious users can easily view the queries that are being ran through the system and discover potential loopholes in the system.
However, if you want to disable this feature during your session, pass disablecomments=1 through the URL.
Themes
In development mode, you can switch themes on the fly simply by passing settheme=theme name through the URL. You can also test how your theme looks like in the installer by passing forceinstall=1 into the URL.
Other URL Parameters
There are a number of other parameters that you can pass through which may not be very useful, but are mentioned here just in case there is a need for them.
noupdate=1 - Disables the update script even when $updatechecking is set to TRUE in config.php.forceerror=1 - Disables the development mode for the current session. Useful for testing for errors that might be overlooked in development mode.prunenow=1 - Clear the login attempts table immediately. Might pose a security risk as it will render brute force protection useless.forceupdate=1 - Checks the update server for updates even if it has already been checked in the browser session. Needs $updatechecking to be set to TRUE in config.phpSecurity Notes
In development mode, the brute force protection period is cut down to only 20 seconds. While this might be useful to test certain features, it will pose a security risk on a public server.
Also, in development mode, the script will ignore the existence of the alssystem/install subfolder. This is another security loophole as malicious users may run the installation script without your knowledge.
Once again, YOU ARE STRONGLY DISCOURAGED FROM TURNING ON DEVELOPMENT MODE ON PUBLIC SERVERS
There are also a few functions that you can use for your ALS-protected pages. Remember to use the require(recommended) or the include function to include the file functions.php in the alssystem directory.
check_login()
This is the function that will check if the user is logged in for all the protected pages. This function is already included in als.php, so there is no need to add it to pages that include that file. There are no parameters to pass through.
print_user()
This will print the username of the user that is currently logged in. There are no parameters to pass through.
logout()
Declare this function to log the user out. Nothing will happen if the user is not logged in. There are no parameters to pass through.
lastip()
This will return the value of the last IP address where the user logged out. Note, to display the value, you would need to use the print or echo function. (eg. echo lastip();) There are no parameters to pass through.
session_auto_expire()
This function will cause the user session to automatically expire after a set amount of time defined in config.php. (Ignored if the setting is turned off). Note that this function is already declared in als.php, so any pages that include that file will automatically have session expiry. There are no parameters to pass through.
captcha_expire()
This function will cause the CAPTCHA image code to automatically expire after a set amount of time defined in config.php. (Ignored if the setting is turned off). There are no parameters to pass through.
print_error($errorheader,$errorsteps,$killscript)
This is the function that prints out script execution errors. It includes the following parameters:
$errorheader - The main error description. This will be displayed in red and extra large font size.$errorsteps - This will details the steps recommended to fix the error. HTML tags can also be used. This is added after a "You are recommended to "$killscript - If set to a value of 1, the script will stop executing. If left blank, the script will continue to run. This is used to terminate scripts that have met a critical error.Usage example: print_error("MySQL Error! ".mysql_error(),"turn on development mode and check the last MySQL query","1");
alert($content)
Use this to display a Javascript alert. It includes the following parameters:
$content - The text content you want to display in the alert.Usage example: alert ("Hi, this is an alert!");
check_email_address($email)
This is the function used to validate email addresses. With a valid email address, it will return TRUE. It includes the following parameters:
$email - This is the email address you want to validate.Usage example: check_email_address ("you@gmail.com");
aes_encrypt($input)
This is the function used to encrypt input with AES protection. The key for encryption is defined in $session_key under config.php. It includes the following parameters:
$input - This is the content you want to encrypt.Usage example: aes_encrypt ("Hello World");
aes_decrypt($input)
This is the function used to decrypt input that was encrypted with the aes_encrypt function. It includes the following parameters:
$input - This is the content you want to decrypt.Usage example: aes_decrypt ("sdfasdfkspodt0934upsiodjgfse8dterptp0u4590euf");
© iQuest Studios