Welcome to Usercake, a simple and secure user management system.
- What is UserCake?
- What user features does UserCake offer?
- What admin features does UserCake offer?
- Where can I find additional features?
- How do I setup UserCake?
- Where can I find support?
- How does UserCake handle security?
- Do I need to do anything to ensure security?
- How do I protect pages?
- How do I create a secure page?
- How is UserCake licensed?
- How do I add new fields to register?
What is UserCake?
UserCake is a free, open source user management framework designed in PHP. It is meant to be a foundation upon which web applications which involve user management can be quickly and easily developed.
What user features does UserCake offer?
UserCake comes with all features needed for a user to register, and login to the site. These features include:
- Registration Page
- Collect user name
- Collect display name
- Collect & confirms password
- Collect email
- Perform various checks to ensure integrity of information
- Force user to pass captcha test
- Add new user to database
- Login Page
- Collect username & password
- Verify username and password
- Log user into secure section of website
- User Settings Page
- Allow user to change password & email
- End a user's secure session
- Forgot Password Page
- Allow users to retrieve a forgotten password
- Resend Activation Page
- Resend activation email to users
What admin features does UserCake offer?
UserCake comes with all features needed for an admin to manage the site's users and pages. These features include:
- Configuration Page
- Set site name
- Set site URL
- Set site email address
- Set minimum wait time between user requests for activation emails
- Set language file to be used throughout site
- Toggle whether email confirmation in required for user activation
- Set site template
- User Management Pages
- Display details of all users
- Delete users
- Change user's display name
- Change user's email address
- Change user's title
- Manually activate account
- Add/remove permission group memberships
- Page Management Pages
- Display details of all pages
- Toggle private/public status of pages
- Add/remove permission groups' access to pages
Where can I find additional features?
UserCake does not maintain an official library of optional features. The concept behind UserCake is that it is a foundation which helps developers get their web applications started. UserCake is not meant to be the complete solution for those who do not intend to develop the code independently. Therefore, if you're looking for an additional feature, the best solution is to develop it yourself.
That said, many members of our community do share plug-ins they've independently developed for UserCake. The best place to find such plug-ins is on our forum.
How do I setup UserCake?
- Download the latest version of UserCake from our downloads page, and export it to your server.
- Create a database on your server / web host.
- Open up models/db-settings.php
- Insert your database name, user name and password in lines 9-11.
- Visit the domain where you've uploaded usercake and click 'Install UserCake'.
- Delete the /install folder.
- Go create an account (the first account created is automatically an admin, so you'll want to do this immediately).
Where can I find support?
The best place to find answers to your questions is here in the docs. If the answer isn't here, you may wish to seek assistance on our forum.
How does UserCake handle security?
UserCake uses a salt along with an SHA1 hash to encrypt passwords. The salt is 25 characters in length. This can be increased to 32 characters. Locate the generateHash() function in models/funcs.php to modify this.
Do I need to do anything to ensure security?
UserCake is designed with security in mind. We've worked hard throughout development to ensure its as secure a platform as possible. However, the security of web applications is a very complicated area. There are many potential vulnerabilities you will have to keep in mind as you develop your application. Unfortunately, to give a comprehensive list here would be too onerous. If you're completely new to the area of web application security, you may want to do some research and read up on common vulnerabilities.
One thing we do recommend you do quickly is to switch from the basic CAPTCHA system included in UserCake to a more robust system, such as google's reCAPTCHA system. The included CAPTCHA is not robust enough to withstand directed efforts to break it. We included a basic system because we wanted to offer some level of protection, and reCAPTCHA needs to be keyed to a specific domain.
How do I protect pages?
There are three basic functions which are used to protect pages in UserCake
This is a new function in 2.0, and the recommended function for securing pages. It is the function which ought to be used if you want the admin panel to dynamically control which permission levels have access to a page.
This function checks if a user has been granted a Permission Level. It's useful if you have content on a page (such as admin features) which you only want specific users to see. You simply specify the Permission Levels who ought to have access as an array.
This function checks if the user is logged in. It's useful if your permission levels change often, and you have a page you want everyone to have access to, or for public pages where you want some parts only to be visible to logged in users (such as the box to post comments on a blog).
How do I create a secure page?
Creating a secure page in UserCake is easy. Here's a brief explanation:
Once UserCake is fully installed, and you've created you admin account, create a new file called 'example.php'.
In this page, we're going to include the following code:
UserCake Version: 2.0.1
<div id='top'><div id='logo'></div></div>
CONTENT OF YOUR FIRST PAGE
Let's walk through this code a bit, so we know what's going on.
At the very top of this code is the section that makes the page part of UserCake. First, it calls the 'models/config.php' file. This file connects to the database and initiates all of UserCake's functions. Second, run the securePage() function. This function checks if the page we're on is public or private, and (if it's private) checks to see if we're logged in as a user who has access to the page. If it's private and we don't have access, we'll get sent to a page we do have access to. Last, this section calls on the header template. This is a file which contains the top section of our html page. It's kept separate so that we want to change the look of the site, we only have to do it on the one page.
Next, we get into the body. The body is the section that contains everything. that's unique about this page. First, in this section, we open a few divs that are used in the layout. Then, we've got our page titled as 'UserCake Example Page'. This can be changed to whatever you like. After that, we then include the template for the left side navigation panel in the same way as we did the page header. Once again, this is so that we only need to edit one page to add more links. Then, we get to the page content. In this case, I've got it simple just so that you know where it goes. After that, there's just a bunch of closing tags.
Now that we have our page, and understand what's on it, we need to make it secure. By default, all pages are public. To make this page private, we're going to log-in with the admin account you've already created. You're going to click on the link 'Admin Pages' on the left side of your screen. A list should come up of all the pages in your root directory, indicating which are public and which are private. The last one on the list should be 'example.php' -- click on it.
On this page, there's a checkbox marked as 'private'. Tick that box and hit 'update'. The page is no longer accessible to anyone not logged in. In fact, it's not accessible to anyone, we need to grant access to specific permission groups. In this case, let's only let the admin see it. Click on the box next to 'administrator', and update once again.
That's it, you're done!
How is UserCake licensed?
UserCake is fully opensource free for both personal and commercial works. A link to the licence can be found below:
How do I add new fields to register?
1. In your database, create a new column for the data in the 'users' table. I named my column 'age'.
2. In register.php, add a new field to the form. I want to put in 'age' immediately after 'email', so in my case I add the following lines of code starting at line 125.
<input type='text' name='email' />
3. We then want to move the information posted in 'age' to a usable variable. To do this, we add this code to line 23:
$age = trim($_POST["age"]);
4. We also want to validate this data to make sure it can't be used for injection or XSS attacks. In this case, all we need to do is make sure it's an integer. We can do this by adding the following code to line 55:
$errors = lang("INVALID_AGE");
5. The 'INVALID_AGE' key we've just entered for the language variable is something we've just made up and which we need to add to our language array. Open models/lang/en.php and add the following to line 120:
"INVALID_AGE" => "Age must be an integer",
6. Back in register.php, line 63 sends the variables we need from the register form to the class which creates a user for us. We need to add $age to the list of variables being sent. It will look like this:
$user = new User($username,$displayname,$password,$email,$age);
7. Open models/class.newuser.php. In this file, we're going to refer to the entered age as '$user_age', and we need to declare taht as a private variable. To do that, add this code at line 23:
8. Update line 25 to include '$age' as one of the listed variables:
9. Then, on line 34 we want to move $age to $this->user_age:
$this->user_age = sanitize($age);
10. Go to line 126, it should read 'last_sign_in_stamp'. Add a comma to the end so it reads 'last_sign_in_stamp,'. Then, on the line below type 'age'.
11. Simiarly, add a comma after ''0'' on line 140 so it reads ''0',' and on the line beneath that type a questionmark '?'.
12. On line 144, there's a section which reads 'sssssi'. This indicates which of the variables we're binding are strings and integers respectively. We've just added a new integer, so we need to change this to 'sssssii'. We also need to add our age variable to the list of variables we're binding. So, on that line after '$this->user_active' add ', $this->user_age'. With that done, line 143 should read as:
$stmt->bind_param("sssssii", $this->username, $this->displayname, $secure_pass, $this->clean_email, $this->activation_token, $this->user_active, $this->user_age);