==================================================
SQL QuickRegister - May 15, 2008
==================================================
E-mail
------
There are two ways of sending e-mail if the application is installed on a
Unix/Linux server, sendmail or Net::SMTP. These options are configured
from the adminstrative panel under the Configuration Link.
Cookies
--------
This application requires the use of cookies. Upon login a temporary cookie
is created for the user. When pages or URLs are accessed through our
redirect script the login cookie is checked to see if the user is logged in.
The application also checks the lapse time, and if greater than what is
permitted the user is asked to log in again. All in all this method
prevents the user from book-marking the page or access to that URL.
When the user shuts down the browser the cookie disappears.
There is a feature of the application that permits the creation of a
permanent cookie so that the user need only login once. This though is
not the default.
Security
--------
1. The login session cookie is protected by a 1-way hash function.
The value to the login session cookie is created from a unique identifier
(built from the process id, time and ip address), and
a random session number which is put through the 1-way hash function.
This token exists for each login session and changes for every new
session.
2. One can further the security by restricting access by IP address
and/or user agent (user's operating system and browser)
Therefore a terminate session link is available to the user; however if
they log off inadvertantly and log in again, though their session
is not finished the application will allow the log in as long as the IP address
and/or user agent match.
3. Access to the adminstrative web panel is implemented by using 2 passwords.
As mentioned in the instructions good passwords consist of a random selection
of characters and numbers at least 8 characters in length.
Also the login cookie created for the adminstrator uses a
random token for the login session and changes for each login.
Login Access Types and Restrictions
-----------------------------------
SQL QuickRegister is configured to allow a number login access restrictions.
First and foremost SQL QuickRegister allows only one login session.
The 3 possible kinds of login access sessions is determined by the values
of restrictbyip and restrictbyuseragent
Type 1
------
restrictip=0
restrictbyuseragent=0
This is the SQL QuickRegister's default setting. This will allow the user
to login in from any browser, operating system and ip address.
Type 2
------
restrictip=1
restrictbyuseragent=0
The user's ip address is used as footprint to restrict their access.
Type 3
------
restrictip=1
restrictbyuseragent=0
The user's ip address and the operating system and browser of their computer is used as
a footprint to restrict their access.
One more important parameter is restrictfootprintbysession
When restrictfootprintbysession=1 then the ip/useragent footprint can be
refreshed after each session that is the session lapse time has expired
(this refers to the parameter SessionTimeInMinutes)
This will allow a user to change their computer and/or ip address (their internet
connection) yet restricting the access during the session.
When restrictfootprintbysession=0 then the ip/useragent footprint completely
restricts the user to the same ip address (internet connection) and/or computer
(browser and operating system). In this case when the user registers the footprint
will be captured and thus log in can only take place from the computer they
registered from.
If a footprint needs to be reset only the administrator can do so.
Error Log
---------
When a system error occurs the error is recorded either in error.txt, for
general system errors such as missing files, or sqlerror.txt for SQL access
errors. Also if the AdminEmail address is defined an e-mail will be sent
to that address indicating the error. For example of if mySQL goes down
then the adminstrator will receive an e-mail indicating that mySQL is down.
Login Stats
------------
Members logins are tracked by data and time in a mysql table called
loginstats. You can view these stats with a mysql Data Manager like
mysqlman or phpAdmin. To turn on set the parameter UseLoginStats to 1
to that address indicating the error. For example of if mySQL goes down
under Edit Configuration Parameters.
then the adminstrator will receive an e-mail indicating that mySQL is down.
Custom XML Tags and Place Markers
--------------------------
Custom XML Tags
Throughout the HTML Templates there are custom XML tags used to capture
information returned by the scripts.
The custom XML tag looks as follows:
<QR $variable>
Example: The subtemplate header.htm is captured in a main template by the
Custom XML tag:
<QR $header>
Place Markers
All forms will have place markers set in values of their input parameters in order
to capture an form values either stored from the database or returned from a
validation of the form page.
The Custom Place Marker looks as follows:
%$variable%
Example: In register.htm the input tag for lastname will have the following Custom Place Marker
<input name="lastname" value="%$lastname%" size="40">
Add and/or Modify an table field in register
--------------------------------------------
A. There are 10 additional descriptive fields which can be used.
B. Add a Field
1. To add a new field use an SQL Data Manager like phpAdmin or mysqlman.
2. Modify the register, update profile and the update registrant forms.
3. If the new field(s) are required to be filled in on the forms change
the parameters under the Edit Registration Parameters Link for validation
for all 3 forms.
4. For form security add these field(s) to the file secure_form_variables.txt
to define their type and field length.
Note: Field Names can be composed only from alphanumeric characters
the underscore; namely, [a-zA-Z0-9] and _ .
C. Edit a Field
1. Edit the field using an SQL Data Manager like phpAdmin or mysqlman.
2. If necessary modify the register, update profile and the update
registrant forms.
3. If the field does or does not require filled in validation modify the
parameters under the Edit Registration Parameters Link for validation
for all 3 forms.
4. If the width or type changes then update secure_form_variables.txt.
How to link to other applications
----------------------------------
To link SQL QuickRegister to other applications requires the programming skill to
integrate or translate a number of functions used in the application.
A. Verify Login:
1. VerifyLoginTicket() found in genlib.pl
2. GetSessionKey() found in mysqllib.pl
B. Check Session Time:
1. CheckSessionTime() found in genlib.pl
2. FindRecord() found in mysqlib.pl
C. Update Session Time:
1. UpDtSessionTime also found in genlib.pl
2. UpDtData found in mysqllib.pl
Using the E-mail Address as the Userid
--------------------------------------
1. Set UseEmailAsUserId=1
2. One can restrict e-mail address registrations to a particular domain.
Set SpecificEmailValidate= to a the domain to restrict to.