Basic 'secure' user authentication PHP/ MySQL script
-MySQL database - standard config. Password fields must be encrypted.
- All PHP programming
--Email will serve as username. Password must have min. 8 chars, max. 16 chars. NO user self registration allowed.
-Administrator interface to create/ modify/ delete users and user information including password modification.
-- Lock or unlock (suspend) user accounts.
-- Ban IP list
--!!!Administrator account cannot be locked or banned.
Adminstration area - default page
-- 'select account' - dropdown select box of all accounts. upon selection opens editor for selected account.
-- 'Create new account' - opens account creator form with the following fields: email/ user name (same field), password, account name, contact name, save (submit button or link). Upon successful save, success message is displayed with "continue" button which will lead back to default admin page.
Account area (administration view/ editor)
-- Upon selecting existing account, user account form opens with the same fields as the New Account form with existing user information filled in. Exceptions: Modify user (submit button), Delete User (submit button with protective 'are you sure' warning), cancel (returns administrator to default page without any changes made.
-- There also must be an unique account ID for the database so that is not editable but viewable. All other fields, including email/ user can be edited by Admin.
***ADMINISTRATOR ACCOUNT ARE HANDLED SEPARATELY - User accounts will have one privilege level: 'user' - there is only one super-user/ admin and new ones cannot be created. They will be stored in separate table and must not have anyway of escalating permissions. Their only privileges are to login, logout, or to activate 'Forgot Password'
-- Admin user name will be 'admin_owner' - this will be a fixed username only editable directly in the database NOT in the admin interface.
--No user self-registration or management... all registration is handled by administrator
- 'Forgot password' feature sends current password to user via email, and notifies administrator the forget password was initiated (password is NOT sent to administrator). 'Forgot Password' link on login page.
- Use inherent PHP mail handler, or SMTP for sent mail, your choice
- This will run in SSL environment (all ready installed and working, just letting you know)
- Login page - two fields 'username/ email' 'password' with submit button.
- Result of successful login: access to default page of OSticket installation. All access to OSticket USER AREA (NOT ADMIN) will be protected by this authentication. OSTicket staff/ admin area is not part of this at all.
- Result of failed login attempt: error message 'invalid login, please try again'.
SECURITY FEATURE/ FLOOD PROTECT - ACCOUNT PROTECT and SUSPEND
--- After 7 failed login attempts, account is temporarily suspended (no access for 30 minutes). Upon 6th failed attempt error warning will be displayed indicating that if another attempt fails the account will be suspended.
--Upon 7th failure, message 'Account has been suspended. Please contact the administrator to unlock your account or wait 30 minutes and try again.'. Administrator and user will be notified of account suspension by email including IP address of user. Login fields will become inaccessible to user who caused the suspension. This can be accomplished by ip banning.
-- Auto logout upon 30 minutes inactivity, and upon closure of browser.
-- Manual logout only upon closure of browser
NOTE: The entire authentication process must be handled outside of OSTicket and NOT dependent on OSticket code in anyway. (except for authentication 'require' code that must be added to OSticket pages). However, there may be a conflict with OSticket sessions. You have to find a way to work around this without modifying OSTicket code.
NOTE: All coding must be secure with appropriate anti-hacking measures. Database also must be secure as possible.
NOTE: All Code must be open-source for later modifications.
NOTE: All code must be free from links or references to the developer or company. Must be completely generic.
Payment terms: Freelancer Milestone payment only. One payment created at start and released upon approval of completed project.
30 freelancers are bidding on average $273 for this job
Expert in doing this sort of stuff... No upfront needed, all payments through GAF Milestone Payment (Escrow).. Online 16 Hours a day, Can start right away.. Thanks
we are a small team of web developers and we are interested to develop this Authentication script, even it could be estimated more than your budget. We can do it to $250.00. I will send our work sample in next pm