Fixed cookie behaviour when behind a reverse proxy with a different hostname. See PHPCRED-28
[PHPCredLocker.git] / README.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PHPCredLocker
---------------

See http://www.bentasker.co.uk/documentation/phpcredlocker/163-phpcredlocker for
documentation.

Copyright (C) 2012 B Tasker
Released under GNU Affero GPL V3 - http://www.gnu.org/licenses/agpl-3.0.txt - All
rights not  explicitly permitted by the license are reserved

(Version 1 was released under GNU GPL V2, later versions are only available under the AGPL)

------------------------------

I'm not an interface designer, so the template is very rough around the edges.
It's designed to support custom templates though so you can skin and brand as
you see fit.

Passwords are encrypted with either OpenSSL or MCrypt (depending what you have
available). The system is intended for use over a https connection, though steps
have been taken to help reduce the likelihood of credential compromise over a
http connection. Still it's _STRONGLY_ recommended that connections be made over
https to ensure that all credentials are protected in transit.

You can view a demo at http://demo.bentasker.co.uk/PHPCredLocker/ including all
developed plugins.



Why the AGPL?
---------------

As a rule, I release most software under the GNU GPL V2 (or sometimes 3), PHPCredlocker is different however.

Given the intended use-case of CredLocker, it's not the operator who is 'at risk'. It's those who own the systems/sites that the stored credentials allow access to. Therefore, it's only right that they at least be given opportunity to inspect the source of the system holding their credentials. 

The AGPL works in exactly the same way as the GPL, but with an additional caveat - If you're running CredLocker as a web service, the users must be able to download a copy of the source.