{"id":13405342,"url":"https://github.com/panique/huge","last_synced_at":"2025-12-16T17:45:53.166Z","repository":{"id":3203967,"uuid":"4237727","full_name":"panique/huge","owner":"panique","description":"Simple user-authentication solution, embedded into a small framework.","archived":false,"fork":false,"pushed_at":"2024-09-04T22:51:37.000Z","size":6818,"stargazers_count":2154,"open_issues_count":48,"forks_count":781,"subscribers_count":247,"default_branch":"master","last_synced_at":"2025-10-19T04:48:16.900Z","etag":null,"topics":["auth","authentication","authorization","framework","password","password-hash","php","user-auth"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/panique.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-05-06T01:04:43.000Z","updated_at":"2025-10-19T04:27:06.000Z","dependencies_parsed_at":"2024-10-15T00:20:53.175Z","dependency_job_id":"ad91450e-1e91-4276-91e7-e9c1612af656","html_url":"https://github.com/panique/huge","commit_stats":{"total_commits":1283,"total_committers":56,"mean_commits":"22.910714285714285","dds":0.1948558067030397,"last_synced_commit":"bb38284abf640481d0ce21c268a251964ca00c22"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/panique/huge","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panique%2Fhuge","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panique%2Fhuge/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panique%2Fhuge/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panique%2Fhuge/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/panique","download_url":"https://codeload.github.com/panique/huge/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panique%2Fhuge/sbom","scorecard":{"id":719184,"data":{"date":"2025-08-11","repo":{"name":"github.com/panique/huge","commit":"bb38284abf640481d0ce21c268a251964ca00c22"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":5,"reason":"Found 8/14 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: downloadThenRun not pinned by hash: _one-click-installation/bootstrap.sh:66","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 28 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T10:45:00.008Z","repository_id":3203967,"created_at":"2025-08-22T10:45:00.008Z","updated_at":"2025-08-22T10:45:00.008Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27768934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-16T02:00:10.477Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","authentication","authorization","framework","password","password-hash","php","user-auth"],"created_at":"2024-07-30T19:01:59.456Z","updated_at":"2025-12-16T17:45:53.098Z","avatar_url":"https://github.com/panique.png","language":"PHP","readme":"![HUGE, formerly \"php-login\" logo](_pictures/huge.png)\n\n# HUGE\n\n[![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/panique/huge/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/panique/huge/?branch=master)\n[![Code Climate](https://codeclimate.com/github/panique/huge/badges/gpa.svg)](https://codeclimate.com/github/panique/huge)\n[![Codacy Badge](https://api.codacy.com/project/badge/Grade/01a221d168b04b1c94a85813519dab40)](https://www.codacy.com/app/panique/huge?utm_source=github.com\u0026amp;utm_medium=referral\u0026amp;utm_content=panique/huge\u0026amp;utm_campaign=Badge_Grade)\n[![Travis CI](https://travis-ci.org/panique/huge.svg?branch=master)](https://travis-ci.org/panique/huge)\n[![Dependency Status](https://www.versioneye.com/user/projects/54ca11fbde7924f81a000010/badge.svg?style=flat)](https://www.versioneye.com/user/projects/54ca11fbde7924f81a000010)\n[![Support](https://supporterhq.com/api/b/9guz00i6rep05k1mwxyquz30k)](https://supporterhq.com/give/9guz00i6rep05k1mwxyquz30k)\n\nJust a simple user authentication solution inside a super-simple framework skeleton that works out-of-the-box\n(and comes with an auto-installer), using the future-proof official bcrypt password hashing/salting implementation of \nPHP 5.5+, plus some nice features that will speed up the time from idea to first usable prototype application \ndramatically. Nothing more. This project has its focus on hardcore simplicity. Everything is as simple as possible, \nmade for smaller projects, typical agency work and quick drafts. If you want to build massive corporate \napplications with all the features modern frameworks have, then have a look at [Laravel](http://laravel.com), \n[Symfony](http://symfony.com) or [Yii](http://www.yiiframework.com), but if you just want to quickly create something\nthat just works, then this script might be interesting for you.\n\nHUGE's simple-as-possible architecture was inspired by several conference talks, slides and articles about huge \napplications that - surprisingly and intentionally - go back to the basics of programming, using procedural programming, \nstatic classes, extremely simple constructs, not-totally-DRY code etc. while keeping the code extremely readable \n([StackOverflow](http://www.dev-metal.com/architecture-stackoverflow/), Wikipedia, SoundCloud).\n\nSome interesting Buzzwords in this context: [KISS](http://en.wikipedia.org/wiki/KISS_principle), \n[YAGNI](http://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it), [Feature Creep](https://en.wikipedia.org/wiki/Feature_creep),\n[Minimum viable product](https://en.wikipedia.org/wiki/Minimum_viable_product).\n\n#### HUGE has reached \"soft End Of Life\"\n\nTo keep this project stable, secure, clean and minimal I've decided to reduce the development of HUGE to a \nminimum. *Don't worry, this is actually a good thing:* New features usually mean new bugs, lots of testing, fixes, \nincompatibilities, and for some people even hardcore update stress. As HUGE is a security-critical script new features \nare not as important as a stable and secure core, this is why people use it. This means:\n\n- HUGE will not get new features\n- but will be maintained, so it will get bugfixes, corrections etc for sure, maybe for years\n\nAnd to be honest, maintaining a framework for free in my rare free-time is also not what I want to do permanently. :)\n\nFinally a little note: The PHP world has evolved dramatically, we have excellent frameworks with awesome features and \nbig professional teams behind, very well written documentations and large communities, so there's simply no reason \nto put much work into another framework. Instead, please commit to the popular frameworks, then your work will have\nmuch more impact and is used by much more people!\n\nThanks to everybody around this project, have a wonderful time! \nXOXO,\nChris\n\n#### Releases \u0026 development  \n\n* stable [v3.1](https://github.com/panique/huge/releases/tag/v3.1),\n* public beta branch: [master](https://github.com/panique/huge)\n* public in-development branch (please commit new code here): [develop](https://github.com/panique/huge/tree/develop)\n\n#### Quick-Index \n\n+ [Features](#features)\n+ [Live-Demo](#live-demo)\n+ [Support](#support)\n+ [Follow the project](#follow)\n+ [License](#license)\n+ [Requirements](#requirements)\n+ [Auto-Installation](#auto-installation)\n    - [Auto-Installation in Vagrant](#auto-installation-vagrant) (also useful for 100% reproducible installation of HUGE)\n    - [Auto-Installation in Ubuntu 14.04 LTS server](#auto-installation-ubuntu)\n+ [Installation (Ubuntu 14.04 LTS)](#installation)\n    - [Quick Installation](#quick-installation)\n    - [Detailed Installation](#detailed-installation)\n    - [NGINX setup](#nginx-setup)\n    - [IIS setup](#iis-setup)\n+ [Documentation](#documentation)\n    - [How to use the user roles](#user_roles)\n    - [How to use the CSRF feature](#csrf)\n+ [Community-provided features \u0026 feature discussions](#community)\n+ [Future of the project, announcing soft EOL](#future)\n+ [Why is there no support forum anymore ?](#why-no-support-forum)\n+ [Zero tolerance for idiots, trolls and vandals](#zero-tolerance)\n+ [Contribute](#contribute)\n+ [Code-Quality scanner links](#code-quality)\n+ [Report a bug](#bug-report)\n\n### The History of HUGE\n\nBack in 2010/2011 there were no useful login solutions in the PHP world, at least not for non-experts. So I did the worst \nmistake every young developer does: Trying to build something by myself without having any clue about security basics.\nWhat made it even worse was: The web was (and is) full of totally broken tutorials about building user authentication \nsystems, even the biggest companies in the world did this completely wrong (we are talking about SONY, LinkedIn and\nAdobe here), and also lots of major framework in all big programming languages (!) used totally outdated and insecure\npassword saving technologies.\n\nHowever, in 2012 security expert [Anthony Ferrara](https://github.com/ircmaxell) published a [little PHP library](https://github.com/ircmaxell/password_compat),\nallowing extremely secure, modern and correct hashing of passwords in PHP 5.3 and 5.4, usable by every developer without any stress and without any knowledge\nabout security internals. The script was so awesome that it was written into the core of PHP 5.5, it's the de-facto standard these days.\n\nWhen this came out I tried to use this naked library to build a fully working out-of-the-box login system for several private and commercial projects,\nand put the code on GitHub. Lots of people found this useful, contributed and bugfixed the project, made forks, smaller and larger versions.\nThe result is this project.\n \nPlease note: Now, in 2015, most major frameworks have excellent user authentication logic embedded by default. This was \nnot the case years ago. So, from today's perspective it might be smarter to chose Laravel, Yii or Symfony for serious\nprojects. But feel free to try out HUGE, the auto-installer will spin up a fully working installation within minutes and\nwithout any configuration.\n\nAnd why the name \"HUGE\" ? It's a nice combination to \n[TINY](https://github.com/panique/tiny), \n[MINI](https://github.com/panique/mini) and \n[MINI2](https://github.com/panique/mini2),\n[MINI3](https://github.com/panique/mini3),\nwhich are some of my other older projects. Super-minimal micro frameworks for extremely fast and simple development of simple websites.\n\n### Features \u003ca name=\"features\"\u003e\u003c/a\u003e\n* built with the official PHP password hashing functions, fitting the most modern password hashing/salting web standards\n* proper security features, like CSRF blocking (via form tokens), encryption of cookie contents etc.\n* users can register, login, logout (with username, email, password)\n* password-forget / reset\n* remember-me (login via cookie)\n* account verification via mail\n* captcha\n* failed-login-throttling\n* user profiles\n* account upgrade / downgrade\n* simple user types (type 1, type 2, admin)\n* supports local avatars and remote Gravatars\n* supports native mail and SMTP sending (via PHPMailer and other tools)\n* uses PDO for database access for sure, has nice DatabaseFactory (in case your project goes big) \n* uses URL rewriting (\"beautiful URLs\")\n* proper split of application and public files (requests only go into /public)\n* uses Composer to load external dependencies (PHPMailer, Captcha-Generator, etc.) for sure\n* fits PSR-0/1/2/4 coding guidelines\n* uses [Post-Redirect-Get pattern](https://en.wikipedia.org/wiki/Post/Redirect/Get) for nice application flow\n* masses of comments\n* is actively maintained and bug-fixed (however, no big new features as project slowly reaches End of Life)\n\n### Planned features\n\n* A real documentation (currently there's none, but the code is well commented)\n  \n### Live-Demo \u003ca name=\"live-demo\"\u003e\u003c/a\u003e\n\nSee a [live demo of older 3.0 version here](http://104.131.8.128) and [the server's phpinfo() here](104.131.8.128/info.php).\n\n### Support the project \u003ca name=\"support\"\u003e\u003c/a\u003e\n\nThere is a lot of work behind this project. I might save you hundreds, maybe thousands of hours of work (calculate that\nin developer costs). So when you are earning money by using HUGE, be fair and give something back to open-source.\nHUGE is totally free to private and commercial use.\n\nSupport the project by renting a server at [DigitalOcean](https://www.digitalocean.com/?refcode=40d978532a20) or just tipping a coffee at BuyMeACoffee.com. Thanks! :)\n\n\u003ca href=\"https://www.buymeacoffee.com/panique\" target=\"_blank\"\u003e\u003cimg src=\"https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png\" alt=\"Buy Me A Coffee\" style=\"height: 60px !important;width: 217px !important;\" \u003e\u003c/a\u003e\n\nAlso feel free to contribute to this project.\n\n### License \u003ca name=\"license\"\u003e\u003c/a\u003e\n\nLicensed under [MIT](http://www.opensource.org/licenses/mit-license.php). \nTotally free for private or commercial projects.\n\n### Requirements \u003ca name=\"requirements\"\u003e\u003c/a\u003e\n\nMake sure you know the basics of object-oriented programming and MVC, are able to use the command line and have\nused Composer before. This script is not for beginners.\n\n* **PHP 5.5+**\n* **MySQL 5** database (better use versions 5.5+ as very old versions have a [PDO injection bug](http://stackoverflow.com/q/134099/1114320)\n* installed PHP extensions: pdo, gd, openssl (the install guideline shows how to do)\n* installed tools on your server: git, curl, composer (the install guideline shows how to do)\n* for professional mail sending: an SMTP account (I use [SMTP2GO](http://www.smtp2go.com/?s=devmetal))\n* activated mod_rewrite on your server (the install guideline shows how to do)\n\n### Auto-Installations \u003ca name=\"auto-installation\"\u003e\u003c/a\u003e\n\nYo, fully automatic. Why ? Because I always hated it to spend days trying to find out how to install a thing.\nThis will save you masses of time and nerves. Donate a coffee if you like it.\n\n#### Auto-Installation (in Vagrant) \u003ca name=\"auto-installation-vagrant\"\u003e\u003c/a\u003e\n\nIf you are using Vagrant for your development, then simply \n\n1. Add the official Ubuntu 14.04 LTS box to your Vagrant: `vagrant box add ubuntu/trusty64`\n2. Move *Vagrantfile* and *bootstrap.sh* (from *_one-click-installation* folder) to a folder where you want to initialize your project.\n3. Do `vagrant up` in that folder.\n\n5 minutes later you'll have a fully installed HUGE inside Ubuntu 14.04 LTS. The full code will be auto-synced with\nthe current folder. MySQL root password and the PHPMyAdmin root password are set to *12345678*. By default\n192.168.33.111 is the IP of your new box.\n\n#### Auto-Installation in a naked Ubuntu 14.04 LTS server \u003ca name=\"auto-installation-ubuntu\"\u003e\u003c/a\u003e\n\nExtremely simple installation in a fresh and naked typical Ubuntu 14.04 LTS server:\n\nDownload the installer script\n```bash\nwget https://raw.githubusercontent.com/panique/huge/master/_one-click-installation/bootstrap.sh\n```\n\nMake it executable\n```bash\nchmod +x bootstrap.sh\n```\n\nRun it! Give it some minutes to perform all the tasks. And yes, you can thank me later :)\n```bash\nsudo ./bootstrap.sh\n```\n### Installation \u003ca name=\"installation\"\u003e\u003c/a\u003e\n\n#### Quick guide: \u003ca name=\"quick-installation\"\u003e\u003c/a\u003e\n\n0. Make sure you have Apache, PHP, MySQL installed. [Tutorial](http://www.dev-metal.com/installsetup-basic-lamp-stack-linux-apache-mysql-php-ubuntu-14-04-lts/). \n1. Clone the repo to a folder on your server\n2. Activate mod_rewrite, route all traffic to application's /public folder. [Tutorial](http://www.dev-metal.com/enable-mod_rewrite-ubuntu-14-04-lts/).\n3. Edit application/config: Set your database credentials\n4. Execute SQL statements from application/_installation to setup database tables\n5. [Install Composer](http://www.dev-metal.com/install-update-composer-windows-7-ubuntu-debian-centos/),\n   run `Composer install` on application's root folder to install dependencies\n6. Make avatar folder (application/public/avatars) writable\n7. For proper email usage: Set SMTP credentials in config file, set EMAIL_USE_SMTP to true\n\n\"Email does not work\" ? See the troubleshooting below. TODO\n\n#### Detailed guide (Ubuntu 14.04 LTS): \u003ca name=\"detailed-installation\"\u003e\u003c/a\u003e\n\nThis is just a quick guideline for easy setup of a development environment!\n\nMake sure you have Apache, PHP 5.5+ and MySQL installed. [Tutorial here](http://www.dev-metal.com/installsetup-basic-lamp-stack-linux-apache-mysql-php-ubuntu-14-04-lts/). \nNginx will work for sure too, but no install guidelines are available yet. \n\nEdit vhost to make clean URLs possible and route all traffic to /public folder of your project:\n```bash\nsudo nano /etc/apache2/sites-available/000-default.conf\n```\n\nand make the file look like\n```\n\u003cVirtualHost *:80\u003e\n    DocumentRoot \"/var/www/html/public\"\n    \u003cDirectory \"/var/www/html/public\"\u003e\n        AllowOverride All\n        Require all granted\n    \u003c/Directory\u003e\n\u003c/VirtualHost\u003e\n```\n\nEnable mod_rewrite and restart apache.\n```bash\nsudo a2enmod rewrite\nservice apache2 restart\n```\n\nInstall curl (needed to use git), openssl (needed to clone from GitHub, as github is https only),\nPHP GD, the graphic lib (we create captchas and avatars), and git.\n```bash\nsudo apt-get -y install curl\nsudo apt-get -y install php5-curl\nsudo apt-get -y install openssl\nsudo apt-get -y install php5-gd\nsudo apt-get -y install git\n```\n\ngit clone HUGE\n```bash\nsudo git clone https://github.com/panique/huge \"/var/www/html\"\n```\n\nInstall Composer\n```bash\ncurl -s https://getcomposer.org/installer | php\nmv composer.phar /usr/local/bin/composer\n```\n\nGo to project folder, load Composer packages (--dev is optional, you know the deal)\n```bash\ncd /var/www/html\ncomposer install --dev\n```\n\nExecute the SQL statements. Via phpmyadmin or via the command line for example. 12345678 is the example password.\nNote that this is written without a space.\n```bash\nsudo mysql -h \"localhost\" -u \"root\" \"-p12345678\" \u003c \"/var/www/html/application/_installation/01-create-database.sql\"\nsudo mysql -h \"localhost\" -u \"root\" \"-p12345678\" \u003c \"/var/www/html/application/_installation/02-create-table-users.sql\"\nsudo mysql -h \"localhost\" -u \"root\" \"-p12345678\" \u003c \"/var/www/html/application/_installation/03-create-table-notes.sql\"\n```\n\nMake avatar folder writable (make sure it's the correct path!)\n```bash\nsudo chown -R www-data \"/var/www/html/public/avatars\"\n```\nIf this doesn't work for you, then you might try the hard way by setting alternatively\n```bash\nsudo chmod 0777 -R \"/var/www/html/public/avatars\"\n```\n\nRemove Apache's default demo file\n```bash\nsudo rm \"/var/www/html/index.html\"\n```\n\nEdit the application's config in application/config/config.development.php and put in your database credentials.\n\nLast part (not needed for a first test): Set your SMTP credentials in the same file and set EMAIL_USE_SMTP to true, so\nyou can send proper emails. It's highly recommended to use SMTP for mail sending! Native sending via PHP's mail() will\nnot work in nearly every case (spam blocking). I use [SMTP2GO](http://www.smtp2go.com/?s=devmetal).\n\nThen check your server's IP / domain. Everything should work fine.\n\n#### NGINX setup: \u003ca name=\"nginx-setup\"\u003e\u003c/a\u003e\n\nThis is an untested NGINX setup. Please comment [on the ticket](https://github.com/panique/huge/issues/622) if you see \nissues.\n \n```\nserver {\n    # your listening port\n    listen 80;\n\n    # your server name\n    server_name example.com;\n\n    # your path to access log files\n    access_log /srv/www/example.com/logs/access.log;\n    error_log /srv/www/example.com/logs/error.log;\n\n    # your root\n    root /srv/www/example.com/public_html;\n\n    # huge\n    index index.php;\n\n    # huge\n    location / {\n        try_files $uri /index.php?url=$uri\u0026$args;\n    }\n\n    # your PHP config\n    location ~ \\.php$ {\n        try_files $uri  = 401;\n        include /etc/nginx/fastcgi_params;\n        fastcgi_pass unix:/var/run/php-fastcgi/php-fastcgi.socket;\n        fastcgi_index index.php;\n        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\n    }\n}\n```\n\n#### IIS setup: \u003ca name=\"iis-setup\"\u003e\u003c/a\u003e\n\nBig thanks to razuro for this fine setup: Put this inside your root folder, but don't put any web.config in your public \nfolder.\n\n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003cconfiguration\u003e\n    \u003csystem.webServer\u003e\n        \u003crewrite\u003e\n            \u003crules\u003e\n\t\t\t\n                \u003crule name=\"Imported Rule 1\" stopProcessing=\"true\"\u003e\n                    \u003cmatch url=\"^(.*)$\" ignoreCase=\"false\" /\u003e\n\t\t\t\t\t\u003cconditions logicalGrouping=\"MatchAll\"\u003e\n                        \u003cadd input=\"{REQUEST_FILENAME}\" matchType=\"IsDirectory\" ignoreCase=\"false\" negate=\"true\" /\u003e\n                        \u003cadd input=\"{REQUEST_FILENAME}\" matchType=\"IsFile\" ignoreCase=\"false\" negate=\"true\" /\u003e\n                    \u003c/conditions\u003e\n                    \u003caction type=\"Rewrite\" url=\"public/index.php?url={R:1}\" /\u003e\n                \u003c/rule\u003e\n            \u003c/rules\u003e\n        \u003c/rewrite\u003e\n    \u003c/system.webServer\u003e\n\u003c/configuration\u003e\n```\n\nFind the original [ticket here](https://github.com/panique/huge/issues/788).\n\n#### Testing with demo users\n\nBy default there are two demo users, a normal user and an admin user. For more info on that please have a look on the\nuser role part of the small documentation block inside this readme.\n \nNormal user: Username is `demo2`, password is `12345678`. The user is already activated.\nAdmin user (can delete and suspend other users): Username is `demo`, password is `12345678`. The user is already activated.\n\n### What the hell are .travis.yml, .scrutinizer.yml etc. ?\n\nThere are several files in the root folder of the project that might be irritating:\n\n - *.htaccess* (optionally) routes all traffic to /public/index.php! If you installed this project correctly, then this\n   file is not necessary, but as lots of people have problems setting up the vhost correctly, .htaccess it still there\n   to increase security, even on partly-broken-installations.\n - *.scrutinizer.yml* (can be deleted): Configs for the external code quality analyzer Scrutinizer, just used here on\n   GitHub, you don't need this for your project.\n - *.travis.yml* (can be deleted): Same like above. Travis is an external service that creates installations of this\n   repo after each code change to make sure everything runs fine. Also runs the unit tests. You don't need this inside\n   your project.\n - *composer.json* (important): You should know what this does. ;) This file says what external dependencies are used.  \n - *travis-ci-apache* (can be deleted): Config file for Travis, see above, so Travis knows how to setup the Apache.    \n    \n*README* and *CHANGELOG* are self-explaining.\n\n### Documentation \u003ca name=\"documentation\"\u003e\u003c/a\u003e\n\nA real documentation is in the making. Until then, please have a look at the code and use your IDE's code completion \nfeatures to get an idea how things work, it's quite obvious when you look at the controller files, the model files and\nhow data is shown in the view files. A big sorry that there's no documentation yet, but time is rare and we are all\ndoing this for free in our free time :)\n \n - TODO: Full documentation\n - TODO: Basic examples on how to do things\n \n#### How to use the different user roles \u003ca name=\"user_roles\"\u003e\u003c/a\u003e\n\nCurrently there are two types of users: Normal users and admins. There are exactly the same, but...\n \n1. Admin users can delete and suspend other users, they have an additional button \"admin\" in the navigation. Admin users\nhave a value of `7` inside the database table field `user_account_type`. They cannot upgrade or downgrade their accounts \n(as this wouldn't make sense).\n\n2. Normal users don't have admin features for sure. But they can upgrade and downgrade their accounts (try it out via\n/user/changeUserRole), which is basically a super-simple implementation of the basic-user / premium-user concept. \nNormal users have a value of `1` or `2` inside the database table field `user_account_type`. By default all new \nregistered users are normal users with user role 1 for sure.\n\nSee the \"Testing with demo users\" section of this readme for more info.\n\nThere's also a very interesting [pull request adding user roles and user permissions](https://github.com/panique/huge/pull/691),\nwhich is not integrated into the project as it's too advanced and complex. But, this might be exactly what you need,\nfeel free to try.\n\n#### How to use the CSRF feature \u003ca name=\"csrf\"\u003e\u003c/a\u003e\n \nTo prevent [CSRF attacks](https://en.wikipedia.org/wiki/Cross-site_request_forgery), HUGE does this in the most common \nway, by using a security *token* when the user submits critical forms. This means: When PHP renders a form for the user, \nthe application puts a \"random string\" inside the form (as a hidden input field), generated via Csrf::makeToken() \n(application/core/Csrf.php), which also saves this token to the session. When the form is submitted, the application \nchecks if the POST request contains exactly the form token that is inside the session.\n  \nThis CSRF prevention feature is currently implemented on the login form process (see *application/view/login/index.php*)\nand user name change form process (see *application/view/user/editUsername.php*), most other forms are not security-\ncritical and should stay as simple as possible.\n\nSo, to do this with a normal form, simply: At your form, before the submit button put:\n`\u003cinput type=\"hidden\" name=\"csrf_token\" value=\"\u003c?= Csrf::makeToken(); ?\u003e\" /\u003e`\nThen, in the controller action validate the CSRF token submitted with the form by doing:\n```\n// check if csrf token is valid\nif (!Csrf::isTokenValid()) {\n    LoginModel::logout();\n    Redirect::home();\n    exit();\n}\n```\n\nA big thanks to OmarElGabry for implementing this!\n\n#### Can a user be logged in from multiple devices ?\n\nIn theory: Yes, but this feature didn't work in my tests. As it's an external feature please have a look into the \n[according ticket](https://github.com/panique/huge/pull/693) for more.\n\n#### Troubleshooting \u0026 Glitches\n\n* In 3.0 and 3.1 a user could log into the application from different devices / browsers / locations. This was intended\n  behaviour as this is standard in most web applications these days. In 3.2 still feature is \"missing\" by default, a \n  user will only be able to log in from one browser at the same time. This is a security improvement, but for sure not \n  optimal for many developers. The plan is to implement a config switch that will allow / disallow logins from multiple \n  browsers.\n* Using this on a sub-domain ? You might get problems with the cookies in IE11. Fix this by replacing \"/\" with \"./\" of \n  the cookie location COOKIE_PATH inside application/config/config.xxx.php! \n  Check [ticket #733](https://github.com/panique/huge/issues/733) for more info. Thanks to jahbiuabft for figuring this\n  out. Update: There's another ticket focusing on the same issue: [ticket #681](https://github.com/panique/huge/issues/681)\n \n### Community-provided features \u0026 feature discussions \u003ca name=\"community\"\u003e\u003c/a\u003e\n\nThere are some awesome features or feature ideas build by awesome people, but these features are too special-interest\nto go into the main version of HUGE, but have a look into these tickets if you are interested:\n\n - [Caching system](https://github.com/panique/huge/issues/643)\n - [ReCaptcha as captcha](https://github.com/panique/huge/issues/665)\n - [Internationalization feature](https://github.com/panique/huge/issues/582)\n - [Using controller A inside controller B](https://github.com/panique/huge/issues/706)\n - [HTML mails](https://github.com/panique/huge/issues/738)\n - [Deep user roles / user permission system](https://github.com/panique/huge/pull/691)\n \n### Future of HUGE: Announcing \"soft End Of Life\" \u003ca name=\"future\"\u003e\u003c/a\u003e\n \nThe idea of this project is and was to provide a super-simple barebone application with a full user authentication\nsystem inside that just works fine and stable. Due to the highly security-related nature of this script any changes \nmean a lot of work, lots of testing, catching edge cases etc., and in the end I spent 90% of the time testing and fixing\nnew features or new features break existing stuff, and doing this is really not what anybody wants to do for free in\nthe rare free-time :)\n\nTo keep the project stable, clean and maintainable, I would kindly announce the \"soft-End of Life\" for this project, \nmeaning:\n\nA. HUGE will not get any new features in the future, but ...\nB. bugfixes and corrections will be made, probably for years\n\n### Coding guideline behind HUGE\n\nWhile HUGE was in development, there were 3 main rules that helped me (and probably others) to write minimal, clean\n and working code. Might be useful for you too:\n\n1. Reduce features to the bare minimum.\n2. Don't implement features that are not needed by most users.\n3. Only build everything for the most common use case (like MySQL, not PostGre, NoSQL etc).\n\nAs noted in the intro of this README, there are also some powerful concepts that might help you when developing cool \nstuff: [KISS](http://en.wikipedia.org/wiki/KISS_principle), \n[YAGNI](http://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it), [Feature Creep](https://en.wikipedia.org/wiki/Feature_creep),\n[Minimum viable product](https://en.wikipedia.org/wiki/Minimum_viable_product).\n \n#### List of features / ideas provided in tickets / pull requests\n\nTo avoid unnecessary work for all of us I would kindly recommend everybody to use HUGE for simple project that only\nneed the features that already exist, and if you really need a RESTful architecture, migrations, routing, 2FA etc,\nthen it's easier, cleaner and faster to simply use Laravel, Symfony or Zend.\n\nHowever, here are the community-suggested possible features, taken from lots of tickets. Feel free to implement them\ninto your forks of the project: \n\n* OAuth2 implementation (let your users create accounts and login via 3rd party auth, like Facebook, Twitter, GitHub, \n  etc). As this is a lot of work and would make the project much more complicated it might make sense to do this in a \n  fork or totally skip it. (see [Ticket #528](https://github.com/panique/huge/issues/528))\n* Router (map all URLs to according controller-methods inside one file), [Ticket 727](https://github.com/panique/huge/issues/727)\n* RESTful architecture (see [ticket #488](https://github.com/panique/huge/issues/488) for discussion)\n* Horizontal MySQL scaling (see [ticket #423](https://github.com/panique/huge/issues/423) for discussion)\n* Modules / middleware\n* Logging\n* Two-Factor-Authentication (see [ticket #732](https://github.com/panique/huge/issues/732))\n* Controller-less URLs (see [ticket #704](https://github.com/panique/huge/issues/704))\n* Email-re-validation after email change (see [ticket #705](https://github.com/panique/huge/issues/705))\n* Connect to multiple databases (see [ticket #702](https://github.com/panique/huge/issues/702))\n* A deeper user role system (see [ticket #701](https://github.com/panique/huge/issues/701), \n[pull-request #691](https://github.com/panique/huge/pull/691)), \n[ticket #603](https://github.com/panique/huge/issues/603)\n* How to run without using Composer [ticket #826](https://github.com/panique/huge/issues/826)\n\n### Why is there no support forum (anymore) ? \u003ca name=\"why-no-support-forum\"\u003e\u003c/a\u003e\n\nThere were two (!) support forums for v1 and v2 of this project (HUGE is v3), and both were vandalized by people who\ndidn't even read the readme and / or the install guidelines. Most asked question was \"script does not work plz help\"\nwithout giving any useful information (like code or server setup or even the version used). While I'm writing these \nlines somebody just asked via Twitter \"how to install without Composer\". You know what I mean :) - 99% of the questions \nwere not necessary if the people would had read the guidelines, do a minimal research on their own or would stop making \nthings so unnecessarily complicated. And even when writing detailed answers most of them still messed it up, resulting \nin rants and complaints (for free support for a free software!). It was just frustrating to deal with this every day, \nespecially when people take it for totally granted that *it's the duty* of open-source developers to give detailed, \nfree and personal support for every \"plz help\"-request.\n \nSo I decided to completely stop any free support. For serious questions about real problems inside the script please\nuse the GitHub issues feature.\n\n### Zero tolerance for idiots, trolls and vandals! \u003ca name=\"zero-tolerance\"\u003e\u003c/a\u003e\n\nHarsh words, but as basically every public internet project gets harassed, vandalized and trolled these days by very \nstrange people it's necessary: Some simple rules. \n\n1. Respect that this is just a simple script written by unpaid volunteers in their free-time. \n   This is NOT business-software you've bought for $10.000.\n   There's no reason to complain (!) about free open-source software. The attitude against free software\n   is really frustrating these days, people take everything for granted without realizing the work behind it, and the\n   fact that they get serious software totally for free, saving thousands of dollars. If you don't like it, then don't \n   use it. If you want a feature, try to take part in the process, maybe even build it by yourself and add it to the \n   project! Be nice and respectful. Constructive criticism is for sure always welcome!\n   \n2. Don't bash, don't hate, don't spam, don't vandalize. Please don't ask for personal free support, don't ask if \n   somebody could do your work for you. Before you ask something, make sure you've read the README, followed every \n   tutorial, double-checked the code and tried to solve the problem by yourself.\n\nTrolls and very annoying people will get a permanent ban / block. GitHub has a very powerful anti-abuse team.\n\n### Contribute \u003ca name=\"contribute\"\u003e\u003c/a\u003e\n\nPlease commit only in *develop* branch. The *master* branch will always contain the stable version.\n\n### Code-Quality scanner links \u003ca name=\"code-quality\"\u003e\u003c/a\u003e\n\n[Scrutinizer (master branch)](https://scrutinizer-ci.com/g/panique/huge/?branch=master),\n[Scrutinizer (develop branch)](https://scrutinizer-ci.com/g/panique/huge/?branch=develop),\n[Code Climate](https://codeclimate.com/github/panique/huge),\n[Codacy](https://www.codacy.com/public/panique/phplogin/dashboard?bid=789836), \n[SensioLabs Insight](https://insight.sensiolabs.com/projects/d4f4e3c0-1445-4245-8cb2-d75026c11fa7/analyses/2).\n\n### Found a bug (Responsible Disclosure) ? \u003ca name=\"bug-report\"\u003e\u003c/a\u003e\n\nDue to the possible consequences when publishing a bug on a public open-source project I'd kindly ask you to send really\nbig bugs to my email address, not posting this here. If the bug is not interesting for attackers: Feel free to create\nan normal GitHub issue.\n\n### Current and further development\n\nSee active issues here:\nhttps://github.com/panique/huge/issues?state=open\n\n### Why you should use a favicon.ico in your project :)\n\nInteresting issue: When a user hits your website, the user's browser will also request one or more (!) favicons \n(different sizes). If these static files don't exist, your application will start to generate a 404 response and a 404 \npage for each file. This wastes a lot of server power and is also useless, therefore make sure you always have favicons\nor handle this from Apache/nginx level.\n\nHUGE tries to handle this by sending an empty image in the head of the view/_templates/header.php !\n\nMore inside this ticket: [Return proper 404 for missing favicon.ico, missing images etc.](https://github.com/panique/huge/issues/530)\n\nMore here on Stackflow: [How to prevent favicon.ico requests?](http://stackoverflow.com/questions/1321878/how-to-prevent-favicon-ico-requests),\n[Isn't it silly that a tiny favicon requires yet another HTTP request? How to make favicon go into a sprite?](http://stackoverflow.com/questions/5199902/isnt-it-silly-that-a-tiny-favicon-requires-yet-another-http-request-how-to-mak?lq=1).\n\n### Useful links\n\n- [How long will my session last?](http://stackoverflow.com/questions/1516266/how-long-will-my-session-last/1516338#1516338)\n- [How to do expire a PHP session after X minutes?](http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes/1270960#1270960)\n- [How to use PDO](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers)\n- [A short guideline on how to use the PHP 5.5 password hashing functions and its PHP 5.3 \u0026 5.4 implementations](http://www.dev-metal.com/use-php-5-5-password-hashing-functions/)\n- [How to setup latest version of PHP 5.5 on Ubuntu 12.04 LTS](http://www.dev-metal.com/how-to-setup-latest-version-of-php-5-5-on-ubuntu-12-04-lts/)\n- [How to setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1 (and how to fix the GPG key error)](http://www.dev-metal.com/setup-latest-version-php-5-5-debian-wheezy-7-07-1-fix-gpg-key-error/)\n- [Notes on password \u0026 hashing salting in upcoming PHP versions (PHP 5.5.x \u0026 5.6 etc.)](https://github.com/panique/huge/wiki/Notes-on-password-\u0026-hashing-salting-in-upcoming-PHP-versions-%28PHP-5.5.x-\u0026-5.6-etc.%29)\n- [Some basic \"benchmarks\" of all PHP hash/salt algorithms](https://github.com/panique/huge/wiki/Which-hashing-\u0026-salting-algorithm-should-be-used-%3F)\n- [How to prevent PHP sessions being shared between different apache vhosts / different applications](http://www.dev-metal.com/prevent-php-sessions-shared-different-apache-vhosts-different-applications/)\n\n## Interesting links regarding user authentication and application security\n\n- [interesting article about password resets (by Troy Hunt, security expert)](http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html)\n- Password-Free Email Logins: [Ticket \u0026 discussion](https://github.com/panique/huge/issues/674), [article](http://techcrunch.com/2015/06/30/blogging-site-medium-rolls-out-password-free-email-logins/?ref=webdesignernews.com)\n- Logging in via QR code: [Ticket \u0026 discussion](https://github.com/panique/huge/issues/290), [english article](https://www.grc.com/sqrl/sqrl.htm), \n  [german article](http://www.phpgangsta.de/sesam-oeffne-dich-sicher-einloggen-im-internetcafe), \n  [repo](https://github.com/PHPGangsta/Sesame), [live-demo](http://sesame.phpgangsta.de/). Big thanks to *PHPGangsta* for writing this!\n  \n### My blog\n\nI'm also blogging at **[Dev Metal](http://www.dev-metal.com)**.\n","funding_links":["https://www.buymeacoffee.com/panique"],"categories":["PHP"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanique%2Fhuge","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpanique%2Fhuge","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanique%2Fhuge/lists"}