One time password generator, validator, and qrcode generator that has no web dependencies (self-contained) in PHP
Switch branches/tags
Nothing to show
Clone or download
microvb Corrected asterisks on login form
Corrected asterisks from encoded entity to the asterisk character ( * )
in the username and password placeholders on the login form.
Latest commit ea89695 Jan 11, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
app Corrected asterisks on login form Jan 11, 2017
.htaccess Wrapped everything up May 3, 2016 Added help button for Auethnticator field on login Jan 11, 2017


One time password generator, validator, and qrcode generator that has no web dependencies (self-contained) in PHP


This started out as a straight drop-in class which you can still download from here, however it has been developed into a full admin/usercp system using the gentelella theme converted to smarty 3.

Attribution to other Authors

All other 3rd party libraries (jquery, jquery extensions, etc) and languages (javascript/ecma, css, etc) are under their respective licenses having attribution included in the respective file(s), or in the directory containing the file(s). Absense of said license does not mean that no license applies, but it is assumed the strongest license in this project would then apply where no other license is available. If a license file/attribution was not included and you believe this to be an error, please submit it as a bug report or pull request with any license details that may have been omitted.


Download the application, and set the appropriate values in, then run /app/install . If everything passes, the database will be installed if it doesn't exist, and a new user admin with the the password admin will be created using ACL 9999 which should give plenty of access levels to play with for lower level users or admins.

Once installed, all users and administrators have access to add an authenticator to their account, and edit the following basic settings for their own account : Name, Password, Email


This was tested and runs well on the following detailed lists of all modules and extensions loaded for Apache and PHP. Many of the modules or extensions come pre-loaded but since this varies between distributions, I have included a more comprehensive list which you can tweak.


  • access_compat_module (shared)
  • actions_module (shared)
  • alias_module (shared)
  • auth_basic_module (shared)
  • authn_core_module (shared)
  • authn_file_module (shared)
  • authz_core_module (shared)
  • authz_host_module (shared)
  • authz_user_module (shared)
  • autoindex_module (shared)
  • core_module (static)
  • deflate_module (shared)
  • dir_module (shared)
  • env_module (shared)
  • fastcgi_module (shared)
  • filter_module (shared)
  • headers_module (shared)
  • http_module (static)

Loaded Modules:

  • log_config_module (static)
  • logio_module (static)
  • mime_module (shared)
  • mpm_event_module (shared)
  • negotiation_module (shared)
  • rewrite_module (shared)
  • setenvif_module (shared)
  • socache_shmcb_module (shared)
  • so_module (static)
  • ssl_module (shared)
  • status_module (shared)
  • unixd_module (static)
  • version_module (static)
  • watchdog_module (static)

PHP 5.6.17

[PHP Modules]

  • bcmath
  • bz2
  • calendar
  • Core
  • ctype
  • date
  • dba
  • dom
  • ereg
  • exif
  • fileinfo
  • filter
  • ftp
  • gd
  • gettext
  • hash
  • iconv
  • json
  • libxml
  • mbstring
  • mhash
  • mysql
  • mysqli
  • mysqlnd
  • openssl
  • pcntl
  • pcre
  • PDO
  • pdo_mysql
  • pdo_sqlite
  • Phar
  • posix
  • readline
  • Reflection
  • session
  • shmop
  • SimpleXML
  • soap
  • sockets
  • SPL
  • sqlite3
  • standard
  • sysvmsg
  • sysvsem
  • sysvshm
  • tokenizer
  • wddx
  • xml
  • xmlreader
  • xmlwriter
  • Zend OPcache
  • zip
  • zlib

[Zend Modules]

  • Zend OPcache

MariaDB 10.0.23

This should not matter too much which database platform you choose either MariaDB or MySQL, however you will need it compiled with mysqlnd (native driver) support as well as compiled into PHP.


If an authenticator is not on the users account, the authenticator code field is disregarded. If any part of the credentials fail including if the authenticator code is invalid or not a valid scratch code, a generic message is displayed stating 'Invalid Credentials' so that no clue is given making it more difficult for an attacker to guess which part of the credential system was correct by messages such as 'Invalid Password'.







If no authenticator is on the users account



If an authenticator exists on the users account:



Accounts : Add


Accounts : Added


Accounts : List





Generic Error Page handles

410 Gone instead of 404 for pages that do not have a valid modal. This script only checks for the physical existence of resource files (jpg, png, js, etc.) and denies any direct access to physical php/html/etc files. As you can see in the screenshot, if the physical resource file is missing, it will also trigger a 410 gone, showing the missing element and virtual path in the address bar. image

400 error message for resources that the user does not have permission to access. image