PHP Generic Registration Module [GPLv3]
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


PHP Generic Registration Module (PHP-GEREMO)


The PHP Generic Registration Module is a PHP class which allows to implement
"double opt-in" users registration as an independent and foolproof add-on to
any existing application.

Upon completion of the registration process and once their credentials (and
optional details) stored in the configurable backend, users can be authenti-
cated and authorized using the web server's ad-hoc mechanisms - e.g. Apache's
 mod_auth_file or mod_auth_mysql - and gain access to the underlying appli-

The idea behind this module is to:
 - use the web server authentication and authorization capacities to control
   access to the underlying application (be it in PHP, ASP, Java, Perl, Python,
   etc.) and thus prevent potential application-level vulnerabilities to be
   exploited by unauthenticated agents;
 - provide developers a way to quickly add a registration process to any exis-
   ting application;
 - do so as an independent and foolproof add-on, which focus on the quality and
   the security of the registration process.


 - [MUST] PHP 5.2 or later (it may work on earlier PHP 5 versions; this is untested though)
 - [MUST] PHP mhash extension
 - [MUST] PHP mcrypt extension
 - [MUST] PHP PEAR::Text_CAPTCHA extension (and dependencies)
 - [MUST] PHP PEAR::Mail and PEAR::Mail_Mime extensions (and dependencies)
 - [MAY] PHP PDO extension; required only when using a SQL backend


 - captcha-protected registration request
 - code-protected registration confirmation ("double opt-in"); code is sent by e-mail
 - required user's data: email, password
 - optional (configurable) user's data: title, firstname, lastname, company, jobtitle, street, street2, pobox, city, zipcode, state, country, phone, fax
 - registering user's e-mail whitelist/blacklist
 - registering user's password strength verification
 - password encryption (to match the web server's authentication requirements)
 - dynamic 24h-rotated code keys (prevent brute-force attacks)
 - registration process state tracking (prevent replay attacks)
 - registration backends: htpasswd and sql (compatible with Apache's mod_auth_file, mod_auth_mysql and mod_auth_pgsql)
 - registration e-mail notice (upon successful user registration)
 - localized and customizable HTML, e-mail templates and text messages