About
uLogin is a PHP library for adding secure login and authentication capability to web applications. uLogin provides tools for secured user sessions, password storage, logins. It uses various measures to
counter different kinds of online and offline attacks, as well as limit damage in case of a breach. Advanced capabilities like remember-me, two-factor authentication support, recognizing brute force attempts,
and support for multiple user databases in addition to a load of security features make it a feature-rich, secure and flexible authentication system. Tools to easily integrate XSS/CSRF/replay prevention into any other
part of your website is provided in the form of a compact but versatile nonce library.
uLogin is not a complete user or privilege management solution. It does not manage groups, permissions or content presentation. uLogin is not a complete web application, but a library to create a web application with.
Features
Most of the features are optional, but they are opt-out features.
- A system embracing multiple levels of in-depth security
- Framework-agnostic
- Enforces secure connections for transmitting sensitive data
- Ready for multi-factor authentication, with example included
- Support for multiple authentication databases
- Various kinds of SQL-databases
- LDAP
- OpenID
- SSH2
- Duo Security
- Secured sessions
- Session fixation/hijacking prevention
- Replay prevention
- Automatic SID change
- Session idle expiry
- Drop-in replacement for the standard PHP session_* functions
- Custom session data store, providing security on shared hosts
- Also works with distributed webservers
- Multiple brute force prevention measures
- Login throttling
- IP-address blocking
- User blocking
- Login timing attack prevention
- Auto-login ('Remember Me')
- Nonce-based single use
- Cookie authenticity checking
- BCrypt'ed and dynamically salted passwords (where supported by the backend)
- Built-in nonce library, with hashed volatile and persistent nonces
- Clickjacking prevention
- Logging of login-related events
- Debug mode for development
- Free and open source
- Easy integration with captcha
- Adheres to the principle of least privilege
- Configurable, with secure defaults
- Miscellaneous helper routines
- Password strength estimation
- Cryptographically strong, cross-platform random string generation
- User friendly password generation