| Feature |
|
Notes |
| General features |
| System can work with standard PHP sessions or
custom MySQL sessions |
 |
admin CP |
| System will work with register_globals=off settings
in php.ini |
|
always |
| System will work with any error_reporting settings
in php.ini including E_ALL |
|
always |
| Two different protection modes using mod_access
with mod_auth (mode 1) or using only mod_rewrite (mode 2) |
|
admin CP |
| All sensitive data in database (registration PIN
codes and passwords) strongly hashed usind MD5 algorithm |
|
always |
| All pages are generated from editable .htm templates |
|
always |
| It is easy to add any number of additional languages
and let users switch between them any time |
|
always |
| User and administrator
login part (main login form) |
| Direct bruteforce protection |
|
always |
| Automatically adding bruteforcers IP-s to ban
list |
|
admin CP admin
CP |
| IP+sessions based protection |
|
always |
| Cookie based protection |
|
always |
| Sensitive data from server smudged in HTTP headers
and response document body. |
|
js |
| Encoding entered password before sending to server
using complex md5 hash |
|
js admin
CP user |
| Password can be entered without using keyboard |
|
js user |
| Client request can be denied if his IP or IP range
(3 or 2 first numbers in IP address) is in banned list. |
|
admin CP admin
CP |
| Special symbols filtering for all received data |
|
always |
| Current user expire time checking while each login
attempt and deactivating or removing that user if his account
expired |
|
always admin
CP |
| Successful login of any user, redirect to login
page any other user with same username why currently on-line
in protected area. (Rotation) |
|
always |
| After specified in config file number of rotations
in limited time period, system drop old user's password, generate
new one and send it to real user'e e-mail address. |
|
always admin
CP |
| System can try do deny access from open rely proxy
servers (1 detection step by default, 2 more steps can be added
using script from extra folder) |
|
admin CP |
| After successful login, user can log out or change
his profile (e-mail address or password) any time |
|
always |
| Server access files rechecked and updated after
each successful login |
|
always |
| Server access files may be rechecked and updated
after any script call |
|
admin CP |
| User will be forced to login again after specified
time period |
|
always admin
CP |
| Accurate protected area access time calculation.
If user will become expired in few minutes, he will gain access
to protected area only for that "few minutes" |
|
always |
| Completely separated administrator and user login
process |
|
always |
| Auto login for returned users (if received session
cookie match IP and browser mask, it is no need to enter username
and password in login form) |
|
always |
| Lost password recovering |
| If user forgot password, he will be prompted for
e-mail address on recover password page. If entered email found
in users table, random confirm URL will be send to that e-mail
address. |
|
always |
| User groups |
| Unlimited number of user groups with different
activity time (from 29 years to 1 hour), with or without rebill
flag. |
|
admin CP |
| Separate one or several protected folders for
each user group. |
|
admin CP |
| PIN-based registration
system |
| Administrator can select between free registration
or PIN-based registration |
|
admin CP |
| In the beginning of register process user will
be prompted for e-mail address on register page. If entered
email valid, random confirm url will be send to that e-mail
address |
|
always |
| When user will follow link from e-mail message,
he will find there form for entering PIN code. |
|
always |
| Bruteforce protection for PIN code form. Limited
number or attempts to enter pin with ability to add to ban list
e-mail address user in that attempt. Single PIN code can be
used for registering only one user |
|
always admin
CP |
| Any number of PIN codes can be added or removed
from system using administrator panel from textarea on HTML
page or text file on server |
|
admin CP |
| PIN codes added before specified number or days
can be removed from system |
|
admin CP |
| Search for PIN code in not used PIN-s table |
|
admin CP |
| Complete used PIN codes logs in .csv format for
downloading |
|
admin CP |
| Separate PIN codes for each user group |
|
admin CP |
| PIN code can contain from 4 to 33 symbols (letters
and (or) numbers) |
|
admin CP |
| Any part of not encrypted data received from IP
address described in active remote rule can be used as PIN code |
|
admin CP |
| Administrator panel part |
| Extended and complex protection of administrator
panel (IP+Cookies+Browser match checking + Session data checking
+ using server access files to allow only one online administrator
session from only one fixed IP + administrator will be forced
to login again every few minutes) |
|
always admin
CP |
| Administrator can sort or search users (by any
field), add new user, view user details, change settings for
several users at once and mail new (changed) passwords to users |
|
admin CP |
| Download or save on server compressed or uncompressed
database dump, compress or decompress dump files on server |
|
admin CP |
| Import uncompressed database dump from file on
server or from uploaded file |
|
admin CP |
| Simultaneously deactivate or remove all expired
users |
|
admin CP |
| Import users |
| Users can be imported from textarea on web page,
file on server or uploaded file. Only Username and E-mail address
can be imported. E-mail is the only required part |
|
admin CP |
| Only users with wrong or duplicated e-mail can't
be imported |
|
admin CP |
| Separate "import" and "add to users table" steps.
Login information will be mailed to all imported e-mails in
the end or process. |
|
admin CP |
| Complete import logs (in .csv format) can be downloaded
any time |
|
admin CP |
| Export users |
| Export to .csv or compressed .csv file complete
active or inactive users table or only selected fields from
that table |
|
admin CP |
| Remote rules for integration
with remote billing or payment systems |
| Powerful remote rules constructor. It is possible
to create rule for any remote billing server (IP) that can send
any kind of not encrypted data to your server. Remote servers
can rebill, deactivate or remove users. Remote servers can't
add users directly, but with help of remote rules , returned
from remote server after payment process user can use as PIN
code specified part of information used while registering on
remote server |
|
admin CP |
| Complete logs of all remote.php script calls with
filter by result and date |
|
admin CP |
| Deny access by IP or
deny registration by e-mail (ban lists) |
| Administrator can view, edit and clear ban lists |
|
admin CP |
| Custom errors handle |
| Error messages displaying in visitor's browser
may be turned off |
|
settings |
| Error messages (with date and details) may be
stored in log file |
|
admin CP |
| Error messages can be mailed to webmaster |
|
admin CP |
| Additional features |
| Same install.php script used while clean install
of for upgrading from any old version with keeping all old data |
|
always |
| System never use sensitive data from files on
server. Administrator can use or create files on server while
working in admin panel (database dump or PIN codes for importing),
but all such files must be removed (manually by administrator)
from server in the end of admin session |
|
always |
Legend:
- feature available
 - feature not available
js - using JavaScript
settings - can be controlled
from config file
admin CP - can be controlled
from administrator panel
user - selectable by user
always - feature can't be
disabled from config file or administrator panel
|
