Website Login System and User Manager

Lock it down.  Secure your website's content — even offer paid subscriptions — or give each of your users a private page.  UserBase makes it easy.
I just installed the demo of your product and got it up and running in no time. I searched high and low for a decent login script and thank God I found yours.
– Adrian F.

ChangeLog for UserBase

v3.25 (20171112):

  • The subadmin feature is now much easier to use: there's now a subadmin group built-in, so all you need to do is add users to it -- no configuration required.
  • The PageLock and DirLock listings now include a filter to exclude items like wp-includes and wp-content, which you generally don't want to lock, and so just clutter up the listings.

v3.24 (20170907):

  • New option to show joined/expiration dates for each temporary/subscription group on the edit-user-account form, and on the profile pages.

v3.23 (20170830):

  • The admin can now view and adjust user expiration dates within temporary/subscription groups.
  • UserBase can now send a notification email before a user's membership in a temporary/subscription group expires...
  • ...and users can now renew subscriptions within temporary groups before they actually expire, instead of having to wait until the expiration has occurred.
  • For webpages in DirLock-protected folders, UserBase can now pull in the contents of any additional pages specified in SHTML #virtual directives, as well as UserBase's format=justlink output in a virtual.
  • New options:
  • In WebConfig, the DirLock-related settings are now moved to the bottom of the page and a warning is shown above them, explaining that they generally shouldn't be adjusted via WebConfig, but rather through the DirLock page. This avoids confusion and makes the rest of the settings easier to manage.
  • Plus-signs are now supported in usernames and groupnames (optional).
  • Made a few items easier to adjust without having to edit the bigger template prefs: the intro on the user form, the join-paid-group button label, the PayPal account note in the footer of the checkout page...

v3.22 (20170808):

  • Bugfixes/performance updates.

v3.21 (20170524):

  • Bugfixes/performance updates.

v3.20 (20170302):

  • Bugfixes/performance updates.

v3.19 (20170221):

  • Bugfixes/performance updates.

v3.18 (20170127):

  • Bugfixes/performance updates.

v3.17 (20160802):

  • Improved the in-app documentation (instructions) for DirLock and PageLock, and hid the /cgi-bin directory from the DirLock listing (since that should never be DirLocked; it would break UserBase and any other CGI apps).

v3.16 (20160801):

  • New web-based DirLock Manager: you can now easily lock/unlock your protected folders via web browser, without having to edit any config files.

v3.15 (20160725):

  • The PageLock feature now allows you to specify groups besides "member", and now has much better in-app documentation.
  • Bugfix: on the Manage Groups page, the show_on_signup_page option for each group wouldn't take effect until you also adjusted the groups_allowed_to_see_groups_on_user_form setting.  But that's counter-intuitive, and really the checkbox in Manage Groups should prevail, so now it does.

v3.14 (20160710):

  • Change from ISO-8859-1 to UTF-8 throughout the app.
  • Improved the SQL-safe logic, which previously didn't really block much, but did cause a lot of headaches for non-English characters.
  • Improved the Send Test Email feature, and improved logging of sent-mail details, to make email configuration easier, and make it easier to troubleshoot any problems with your SMTP server and/or sendmail installation.
  • New page that shows all installed Perl modules, with instructions for how to install any missing ones that UserBase may need.
  • General code cleanup.
  • Bugfix: saving some really large pref values (e.g. $PREF{css}) via WebConfig could fail if the pref got too big.
  • Bugfix: when using paid groups and the go_directly_to_PayPal... option, users could sometimes get stuck on the "Please wait..." page instead of being sent directly to PayPal.
  • Bugfix: in rare cases (probably only during an upgrade), a not-very-helpful error about negative user IDs could occur.

v3.13 (20160624):

  • New bulk user action: enable the force-pw-change flag on all accounts.  This is similar to the force-password-reset feature that already existed, but whereas that forces users to reset their passwords before they can log in, force-pw-change lets them log in first.
  • You can now download your WebConfig file (for backup purposes) directly from the WebConfig page.
  • The Group Log page now shows separate columns for userid and username.
  • In some rare cases (transient DB connection failures?) we display the "Congratulations" setup page, even though the app is already set up.  This page doesn't actually let the user alter the app config in any way, but it does prevent him from using the app.  Now we'll log every time this page is displayed, in order to try and track down the cause of the problem on the servers where this occurs.
  • Change from ISO-8859-1 to UTF-8 on all our AJAX requests, which should help with internationalization.
  • Bugfix: using WebConfig to edit any pref containing a </textarea> tag would fail.
  • Bugfix: when editing prefs via WebConfig, if the pref value contained an $ENV or $PREF var, it would break upon saving the new value.  Same for newlines: some prefs contain the \n escape sequence, and those would appear (and be saved) as literal "\n" characters instead of newlines.
  • Bugfix: for certain critical prefs (e.g. database settings, salts) that should never contain newlines, always strip off any that appear (which was happening in some cases when editing those via WebConfig).
  • Bugfix: the Payments Report page would show all years going back to year zero on sites that had no payments.
  • Bugfix: if the test-database-connection step fails, which sometimes happens due to missing Perl modules, show that error, rather than just saying that it failed.
  • Bugfix: for certain rare errors that occurred during the initial installation, we would fail to display the error message, so the app would appear stuck, for no discernable reason.
  • Bugfix: for paid groups, if you left the Code field blank, all payments would be applied to the 'public' group instead.  The Code field is now a required field for paid groups, to avoid this problem.
  • Bugfix: some prefs with long names were getting cut off/overlapping on the WebConfig page.

(Changelogs for v3.03 - v3.12 coming soon.)

v3.02 (20150609):

  • New PageLock/DirLock Manager: you can now lock/unlock your password-protected webpages and folders all via web browser, without having to manually edit any files/folders on your site. (Update: the DirLock Manager wasn't quite ready and was pulled from this release.)
  • New password-strength meters on all new-password fields, so that you (or more to the point, your users) can see how strong or weak your password is, and thus be encouraged to use a better one.
  • Bugfixes.

v3.01 (20150417):

  • Bugfixes.

v3.00 (20150413):

  • Introducing WebConfig!  You can now do all of UserBase's configuration via web browser, without having to edit any config files.  But the config files (prefs files) are still there, and can still be used, if you prefer that method instead.
  • Security upgrade: UserBase's authentication system has been updated to a newer, stronger hash, and now also uses a per-site salt to further strengthen the hashes, as well as a large number of hash iterations for additional protection.  Accounts on existing installations with have their stored password hashes automatically upgraded on each account's next login, or you can force-reset them immediately.
  • New interactive database-settings-config page, where you can enter your database settings and test them via a single page in your web browser.
  • New interactive email-settings-config page, where you can enter your email server details and test them (by sending a test email) via a single page in your web browser.  Very useful for when your email provider changes a setting on you, or your emails just seem to stop arriving for some reason, etc.  The problem in those cases is virtually never with UserBase, but now it'll let you quickly pinpoint what IS causing it, and correct the settings easily.
  • Many other improvements and bugfixes, with details coming soon.

v2.55 (20141118):

  • We now automatically strip leading and trailing spaces from usernames and passwords during login.  This might not seem like a big deal, if you don't know that a scarily-large percentage of users will ONLY ever login by copying and pasting their user/pass from somewhere they've saved it, and that they'll often have random spaces stuck on the end of their pasted text... with the result being that these kinds of users repeatedly have failed logins, and then repeatedly reset their passwords, only to re-create the same problem for themselves over and over again.  So you can save these users (and yourself) a lot of headache by keeping these new strip_leading_and_trailing_spaces prefs enabled.

v2.54 (20140314):

  • We're now using the mysql_auto_reconnect feature again, after a longstanding bug in that Perl module was apparently fixed, meaning we no longer have to rely on our own internal workaround for dropped MySQL connections, which is good since it only worked about 99% of the time -- it was still possible for a dropped connection to cause an error that we couldn't detect, if the drop occurred at just the right (wrong) time.
  • New Test Email Sending link on the admin menu, for easier access to the ?do_email_test page.
  • The email test page has been greatly improved, with a more detailed explanation of which delivery methods were tried, which prefs need to be adjusted in the event of a failed delivery, notes about required Perl modules and SMTP auth, and where to find more help.
  • New treat_sendmail_closing_error_as_failed_delivery setting, required on some servers where sendmail doesn't act quite right so we couldn't tell for sure whether a message had been successfully sent.
  • Bugfix: when email delivery fails and we retry 2 times before giving up, if all 3 attempts failed, our error message said "attempt 4 of 3" instead of "3 of 3".

v2.53 (20140224):

  • New $PREF{title_text} setting, used throughout many other prefs (mainly email templates) replacing the previously-hardcoded "UserBase" string, to easily customize them all at once with the name of your business or organization.
  • New static_css_url and static_js_url settings, and a new feature that creates and updates them automatically, so that embedding UserBase into a page in your website is easier and will load faster.
  • Re-organized the prefs file to move shared prefs (mostly styling and text strings) to a single section, to make multi-app installations easier to configure.
  • Split the user_form_fields_template up a bit into smaller sub-templates so it's easier to put prefs adjustments in a _prefs_extra.cgi file without having to pull in such a big template, which kind of defeats the purpose.
  • Improved the documentation on the Mainmenu Editor page: moved it from the page footer to per-field, and added an explanation of the best URL format to use for the links.
  • Bugfix: the format=justlink and format=mini embed features (to show just a login/logout link, or a mini login form) would instead display the forced you-must-change-your-password-now message for accounts that needed to do that, when the link/mini form was included on a page where UserBase itself was also embedded, resulting in that change-password form appearing twice on the same page.
  • Bugfix: the sort order of the group-links tables on the Account Center page was wrong on sites with more than 9 groups (stinkin' string-sort...)
  • Bugfix: if a user signs up for an account, and the admin deletes the account (deciding not to approve it) before the user clicks the link in the verification email, then if/when the user does click that link, he'd get an obscure MySQL error.  Now he gets a simple "Error: account not approved" message instead.

v2.52 (20131202):

  • Bugfix: on the Account Center page, installations that were updated from a previous version might show duplicate links for View Group Log and/or View Sent Mail.
  • Bugfix: the Join A Paid Group page would display an error if no promo_code custom field had been created.

v2.51 (20131126):

  • New mail-retry feature, so that when we try to send an email but it fails, we'll automatically retry 2 times right away.  Of course this can't overcome sending errors that are due to a misconfiguration of your prefs, but it helps greatly whenever there's a temporary glitch with a mailserver, which happens surprisingly often.
  • New $PREF{log_all_sent_mail} feature, including a viewer so you can browse all the mail sent by UserBase.  Helpful for debugging mail-sending problems, or if you just like to keep a log of all outgoing mail.
  • UserBase's internal mail-sending function now allows the To: parameter to be a list of multiple recipients, which means in any pref/feature where you specify a recipient email address, you can now include multiple recipients (of course many such prefs/features already supported this in a different way, but now it works for all emails).
  • Bugfix: new $PREF{protected_directory_default_index_filename} setting, to specify the page to be displayed when someone browses to one of your protected directories itself, without specifying a page (previously we just showed the UserBase Account Center page in this case).
  • Bugfix: on installations which had been updated from previous versions, some of the group menus on the Account Center page would be erroneously hidden in some cases.
  • Security update (minor): in the protected-pages feature, UserBase previously used a URL variable to display a please-login message within the page, which could allow an XSS attack (which is an attack on visitors' browsers, not on the server, and which most browsers themselves block anyway).

v2.50 (20131028):

  • Performance boost: decreased the number of iterations in the expand_custom_vars_in_prefs___inner sub (used for allowing prefs to be set with values of other prefs, i.e. nested) in a way that can cut a few hundred MS off our execution time without any other effect on the app.
  • Performance boost: new skip_database_table_creation pref, which can speed up load time quite a bit depending on your server and database server, since technically we only need to check/create the tables the first time we run and once after each update.
  • Performance boost: the Manage Users page is now significantly faster to load on sites with many user accounts.
  • Security improvement: new password_reset_delay feature, to prevent certain kinds of brute-force attacks against the password-reset page.
  • New group log feature, showing each time a user is added to or removed from a group.
  • New promo code feature for paid groups, so you can give out discounts for your customers to use when signing up.
  • New settings for installations where you want your visitors to be forced to join a group during sign-up:
  • When you're offering paid accounts, we'll now skip the choose-a-paid-group page, going directly to the PayPal payment page instead, in cases where the page would have only shown a single group anyway.
  • New code to check for invalid/non-standard/otherwise-screwy remote IP addresses and fix them when possible.
  • New encodable_app_template_static_css and _js prefs, for use with the encodable_app_template_file feature, for improved performance when using the template (avoiding 2 calls to the script by using static files instead).
  • New static_hostname setting, for servers on networks where there are long delays for hostname lookups, which would previously cause UserBase to take a long time to load, since it had to wait for the lookup.  Now you can manually set your hostname and skip the lookup.
  • For protected directories, UserBase can now do variable substitution (e.g. $PREF{logged_in_username}) on the protected pages within the directory.
  • Protected directories can now have their access controls set on a per-user basis, not just per-group as before.
  • Moved database table names out of prefs file, since they should virtually never be changed, and having them there was just confusing.
  • Various small improvements to our database-viewer pages.
  • Bugfix: in some error cases we displayed a vague "Message expired" error; now we'll display more about what really went wrong.
  • Bugfix: added default clauses to all of our SQL table-creation commands, necessary to prevent errors under some rare MySQL configurations.
  • Bugfix: we no longer set the PATH env var to a sane Linux/Unix value if we're running on a Windows server.

v2.49 (20130910):

  • Security update: improved blocking of potential XSS attacks.  Most web browsers now block those at the browser level anyway, but it doesn't hurt to keep ours as thorough as possible.

v2.48 (20130511):

  • Bugfix: the $PREF{disposition_for_NNN} settings, used for specifying whether protected pages/files should be displayed in the browser or downloaded, were ignored in some cases.

v2.47 (20130208):

  • Bugfix: the Custom Fields Manager page would sometimes display a syntax error if you had custom fields but no field sections defined.

v2.46 (20130202):

  • Bugfix: the new temporary and subscription group types had their auto-expiration dates calculated incorrectly in some cases.

v2.45 (20130126):

  • Improved the documentation for custom form fields: moved it from one big paragraph at the bottom of the form explaining all the form fields, to inline comments next to each form field explaining just that field's purpose.
  • For mail-sending operations (email verification during sign-up, admin notifications, etc), in addition to sendmail and SMTP, we now support the Net::SMTP::TLS module, as another option for servers that are extremely finicky and/or crippled in terms of their mail-sending capabilities.

v2.44 (20130125):

  • UserBase now supports subscription payments for paid accounts that are automatically re-billed on a regular basis (e.g. monthly).
  • New "temporary" group type, for group memberships that automatically expire after a period of time that you specify.
  • The paid-accounts feature has been improved and simplified: it is now configured via the Manage Groups page, where you can specify the cost (if any) of each group, along with the length of the term in days for temporary/subscription accounts, etc.

v2.43 (20120806):

  • New features:
  • New %QS hash to allow you to use variables from the URL's query-string within your prefs file (e.g. "%QS{foo}" will turn into "bar" if ?foo=bar is passed on the URL).
  • We now support the Digest::SHA module, in addition to Digest::SHA1, for servers where the latter isn't installed.
  • Bugfix: some boolean/checkbox custom fields would display this spurious error message: "The value for %%item%% must be either null or else 'on'; '[0 or 1]' is invalid."  In actuality, 0 and 1 are the correct values.
  • New $PREF{server_handles_ip_addresses_incorrectly} setting, for servers that don't provide accurate/consistent identification of client IP addresses via environment variables.  This is unnecessary on 99% of servers, and it only affects certain error/confirmation messages that the app generates: normally we restrict these based on logged-in status, or IP address, but with this setting enabled, we'll allow the message to be shown with no restriction, but we'll also auto-expire it quickly to minimize the (already remote) chance that the message could be viewed by someone other than the visitor who generated it.

v2.42 (20120409):

  • New $PREF{extra_sql_safe_characters} setting, in case you want to allow other characters to be stored in your database than the ASCII ones that UserBase allows by default.
  • We now specify accept-charset="UTF-8" on our <form>s, which should resolve some internationalization issues.
  • Bugfix: if exactly 1 field section was created, then the user profile pages would display the generic "Additional Details" label above any custom fields, instead of the configured label for that particular section.
  • Miscellaneous internal changes.

v2.41 (20120228):

  • Renamed $PREF{image_path} to $PREF{app_images_url}.
  • Separated the confirmation messages for new-user-added (by admin) and new-signup-successful.
  • Miscellaneous internal changes.

v2.40 (20120203):

  • New $PREF{send_payment_notification_emails} feature, so that for paid accounts, you'll get an email from UserBase, in addition to the one from PayPal.
  • New $PREF{mimetype_for_foo} settings, for when you want to use the new password-protect-whole-directory feature but your server doesn't have the MIME::Types Perl module.
  • For paid accounts, we now make multiple attempts to verify the payment data posted to us from PayPal, in the (rare) case that a network problem prevents the first one from going through.  And we have a new log_paypal_payment_debug_info_to_encdata_dir setting for this (again, rare) situation, so you can see where the process of connecting/verifying with PayPal is failing.
  • New $PREF{extra_header_output} to allow you to include a custom favicon, or to integrate with VisitorLog, etc.
  • Simplified the embedding process so that the $PREF{print_full_html_tags} setting is no longer required.  Now when UserBase is embedded within a different page, the full userbase.cgi URL will continue to work properly as well.
  • New $PREF{debuglog} setting to make debugging easier, especially on servers without decent built-in error logs, or where the host won't let you access the error log.

v2.39 (20111220):

  • Bugfix: previous update caused the built-in form fields to not display on the sign-up/edit-user form with certain custom field configurations.

v2.38 (20111025):

  • For custom fields, you can now specify whether each field appears on the sign-up form on a per-field basis, as opposed to before where all custom fields would either be displayed, or all not displayed.
  • New $PREF{filechucker_userdir_template} setting, for when creating FileChucker userdirs automatically during account creation, to support FileChucker's new userdir template feature.

v2.37 (20110929):

  • We now include the version number in the prefs file too, to make things easier for those with multiple installations, and during updates/moves, etc.

v2.36 (20110909):

  • UserBase can now password-protect a whole directory without using PHP and without editing individual files within the directory, via the new $PREF{protected_directory_NN} settings.
  • New group managers feature and $PREF{group_membership_update_emailalert_enabled} setting: on the Manage Groups page, you can specify accounts to be "managers" for each group, who will then receive email notification whenever a member is added to or removed from that group.

v2.35 (20110901):

  • User accounts now support profile images and profile pages, and there's an optional member directory for sites where you want your members to be viewable to the public and/or to the rest of the members.
  • New $PREF{default_app_style} setting and a new dark theme, for easier integration into sites with existing dark layouts.
  • Other minor changes.

v2.34 (20110313):

  • Replaced all calls to Perl's "warn" function with a custom "enc_warn" version, because some Windows servers throw temper tantrums upon seeing the built-in version.
  • Our various database-table-viewer pages now do their sorting (when you click the column name links) instantly on the client side, rather than with a request to the server requiring a new page load.
  • Various small tweaks and bugfixes.

v2.33 (20101116):

  • New event calendar feature, allowing members to create events for which UserBase will send them email notifications reminding them when the event date draws near.
  • Other minor tweaks and bugfixes.

v2.32 (20101006):

  • Minor tweaks.

v2.31 (20100921):

  • Renamed the login landing page from Main Menu to Account Center.
  • New $PREF{page_subtitle_template} setting to adjust the styling and display of page subtitles.
  • New $PREF{allow_underscores_in_realnames} setting, for any crazy people who have underscores in their actual names.
  • Other minor tweaks and bugfixes.

v2.30 (20100621):

  • Bugfix: a previous update introduced a bug that could prevent the password field from being displayed on the non-admin user sign-up form.

v2.29 (20100604):

  • New import and export features allowing bulk import/export of user accounts (including custom field values) via CSV file.
  • New $PREF{log_all_userinfo_updates} feature allowing you to have an audit trail of all changes to user data (of course for passwords, the passwords themselves are never stored nor logged).  You can also enable email notification for all such changes.
  • Data fields on the signup/edit-user pages can now be grouped into sections.
  • New $PREF{groups_allowed_to_edit_[fieldname]_field} feature, allowing you to specify which groups (member, admin, etc) can edit which fields.
  • The Manage Users page now has a filter/search field, to limit the accounts that are displayed.
  • You can now specify custom Javascript actions for the fields on the signup/edit-user page, for example if a certain field or section should be hidden based on the value in another field.
  • New "Show All Prefs" feature, available on the Administration page, shows the values of all your prefs.
  • New Server Information page, showing environment variables, Perl version, CGI version, and MIME::Lite version.
  • In date strings where we were using "%P" to get am/pm, we now use "%p" instead (which is the same but uppercase, i.e. AM/PM) because some Windows servers crash/hang when confronted with "%P".  No, really.
  • Various updates to our built-in database table viewer/editor (including presets for min/max values, min/max string lengths, and type checking; nicer visual styles in vertical display mode; ...).
  • Improved autodetection of the server's DOCROOT on certain servers with strange configurations.
  • Bugfix: added internal _qsready versions of a few key prefs ($PREF{login_url} in particular) to allow proper embedding within a page that already uses the query-string for navigation.  For example if your page is index.php?page=login we would previously try to use index.php?page=login?action=signup as the link to the signup page, rather than index.php?page=login&action=signup as we do now.

v2.28 (20091224):

  • New $PREF{loginreturn} feature lets you specify URL variables that tell UserBase to automatically return the user to a specific page upon login and/or signup.
  • New $PREF{show_custom_fields_on_signup_form} setting along with options to specify who can view and edit custom fields, in case you want to be able to have custom fields that you set the values in and your users can only view but not adjust those values.
  • Updated the blacklist/whitelist feature so that in addition to all-or-nothing whole-app blocking, you can specify that users matching the lists are automatically added to special encblacklisted/encwhitelisted groups, which you can use in any of the $PREF{groups_allowed_to_*} settings.
  • Updated the CSS for the drop-shadows around the login form so that they display properly on backgrounds which are non-solid colors (patterned, gradients, images, etc).
  • If you have UserBase embedded within another page, the failed-login page now displays within that rather than as a standalone page.
  • Automatically fix the DOCUMENT_ROOT on GoDaddy servers, which set it incorrectly for subdomains.
  • Bugfix: a previous update caused us to fail to autodetect when HTTPS was in effect.

v2.27 (20091109):

  • Usernames and passwords can now be made case-insensitive.
  • UserBase can now send notification emails to the administrator when a user logs in.
  • Bugfix: the on_member_login_redirect_to setting originally excluded admins from the redirection, but that got broken in a recent update, so both members and admins were redirected.  Now admins are again excluded.

v2.26 (20090928):

  • On the main menus, individual links can now be hidden.
  • Miscellaneous updates to the database viewer/editor behind features such as the main menus and password logs.
  • Bugfix: a recent update could cause a MySQL error on servers with older versions of MySQL, on pages that use the database viewer/editor.

v2.25 (20090810):

  • New styling for the login form, with more neutral colors to better match existing site layouts.
  • Various refactoring (internal changes) and slight adjustments to wording.

v2.24 (20090803):

  • Bugfix: further loosened our check-server-environment test for servers which apparently just have very few environment variables set.

v2.23 (20090803):

  • Removed the "use extra security" checkbox from the login form by default.  It's now forced by default instead, since it's useful in the vast majority of cases, and the option was just confusing to non-technical users.
  • New blacklist/whitelist feature to block users based on IP address or hostname.
  • New ?format=justlink feature, for situations where you want to just display a "login" or "logout" link on a particular page apart from the main UserBase page.
  • Small changes to make managing users quicker (text on confirmation pages now contains a link to the manage-user page for the user in question; or links back to the main manage-users page for quick return rather than having to go back to the main menu first).
  • Various small improvements to the database-viewer/editor function that's behind features like the login log and password-change log.
  • Lots of refactoring to replace old ?phase=foo-based message system with a new more flexible system based on keyed messages (?kmsg=abcdef...).
  • For paid accounts, if there's an error during the PayPal IPN process (during which no user is present, so we can't display an error message), we'll attempt to send an email to the site administrator before die()ing.
  • Removed the "" from our internal redirection URLs because some servers choke on URLs containing an http:// other than at the start.
  • Bugfix: paid accounts would fail to be approved on some servers depending on the type/number of environment variables the server uses (it was tripping our check-server-environment test introduced in a previous update).
  • Bugfix: for prefs that require specifying a group (paid accounts for example) we now prevent you from specifying one of our internal groups (which didn't work even before, but previously failed silently or in non-obvious ways).

v2.22 (20090524):

  • Simplified the installation process by including a new folder called "" within the file; this folder contains the full directory structure and all files necessary for UserBase to work, so you don't need to manually create any files or folders -- just upload the contents of the folder to your server.

v2.21 (20090504):

  • We now automatically create the Main Menu link to the Manage Users page for any group that you specify as a subgroup manager group.
  • Added workaround for Windows MySQL bug where it claims that table "Foo" does not exist, but it also cannot create table "Foo" because "foo" already exists.  Ugh.
  • We now attempt to detect whether we're being executed via command line, and print a useful error in that case, to prevent getting the FAQ about why it doesn't work from the command line (answer: because it's a web app).
  • We now support shared prefs files, for specifying prefs a single time to be used in multiple apps, or in multiple copies of an app.
  • The pages which display database contents now handle reverse-sort differently: instead of reversing the order of whichever N items were displayed on the current page, we now reverse the whole dataset itself.  So the N items displayed on say page #3 of the data will not be the same N items displayed on page #3 in reverse-mode.
  • We now attempt to automatically correct Network Solutions' screwy configuration on servers that are afflicted by it.
  • Bugfix: in rare cases, an apparent bug somewhere in the Perl MySQL stack causes dropped connections, which are not reconnected even if that flag has been set for the connection.  So we now always do a check-and-reconnect before doing any database communication.
  • Bugfix: on Windows servers, in situations where we need to create new folders which include multiple levels, if the server is using drive-letter paths instead of UNC paths, then we failed to create the new folder.

v2.20 (20090325):

  • The password-reset feature now allows the user to initiate the reset process by entering his username or email address (previously it only supported the username).

v2.19 (20090318):

  • Bugfix: the new web-editable Main Menu tables weren't being created on sites which upgraded from earlier versions of UserBase.

v2.18 (20090308):

  • You can now add/remove/edit links in the various tables on the Main Menu page right in the browser, rather than by modifying the prefs file.
  • Bugfix: on IIS servers where the docroot is a virtual UNC path, we now correctly auto-detect that, rather than requiring it to be specified manually.

v2.17 (20090202):

  • Bugfix: the previous update introduced a bug which caused UserBase to fail to submit insertions/edits/deletions when editing the database tables for certain features (failed login logs for example) when UserBase was embedded within another page.

v2.16 (20090109):

  • Default data directory name changed from "ubdata" to "encdata".
  • In situations where we need to display some output but we're currently outside of any page we might be embedded in (which typically means when we're POSTed to), we now perform a redirect to ourselves within the embedded page before displaying the output.
  • Removed the $PREF{webmaster_name} setting, which was only really used when sending emails (as the "Name" in "Name <>"), and which was causing problems on a small number of servers which insist on email addresses that do not include any name portion.  So now you can just add the name to the $PREF{webmaster_email_address} setting yourself if you want to.
  • The various features that display data logged to a database (failed & successful password logs, password change logs, etc) now support a vertical display mode, and now support the editing & deleting of records.
  • Groups can now optionally be displayed on the signup form on a per-group basis, so that your users can choose to be members of the groups during signup.
  • Bugfix: for accounts whose users haven't logged in yet, the last-login column now shows "never" instead of January 1970 (i.e. the start of the Unix epoch).
  • Bugfix: users who recently updated from older versions would sometimes receive an error about a missing column during login; that's fixed now.
  • Bugfix: a small number of servers treat an "http" in the URL as an error (other than the one at the very beginning), so we now remove that in any situation where we're passing addresses on the end of the URL.

v2.15 (20081028):

  • We now log failed & successful logins as well as password changes.  (Of course passwords themselves are never logged under any circumstances; only password hashes are logged.)
  • Passwords can now be set to expire after a period of time.
  • Passwords can now be required to contain specific kinds of characters, i.e. must contain uppercase, must contain numbers, must contain special chars, etc.
  • Passwords reuse can now be prevented, i.e. when a user changes his password, he must not use a password that he has used before.
  • We now reject blank usernames and passwords at the start of the login process, rather than letting the validity logic catch them and report a more obscure error.
  • New $PREF{add_www_to_hostname} and $PREF{remove_www_from_hostname} settings, for situations where that can't be done at the server level.
  • New $PREF{force_https} setting, which causes us to do a forced redirect to ourself using https:// if we were visited without it.
  • Removed the $PREF{smtp_port} setting; this should be specified on the end of the $PREF{smtp_server} value, because some Perl installations don't honor the separate port spec.
  • (Prefs file updated.)

v2.14 (20080820):

  • Simplified the database settings: you no longer need to use separate files to specify your SQL information.
  • Overhauled the way we protect the various admin-only features: many things that were previously hard-coded as admin-only are now set as admin-only via prefs, so that you can create other groups with permission for certain functions if you wish.
  • Added support for negative permissions: in addition to the standard groups_allowed_to_* settings, you can also create groups_not_allowed_to_* settings, for more fine-grained control over permissions.
  • New $PREF{custom_mainmenu_page} setting allows you to create a totally custom main menu page.
  • The $PREF{login_script_email_address} setting now once again defaults to, but in a way that doesn't require setting the user-visible pref to a confusing value involving an environment variable.
  • In the status output that we display when another script calls us from the command line, we now include the email address of the logged-in user.
  • Emails sent by the script now include visitor information in the email headers (IP address, hostname, user agent).
  • (Prefs file updated.)

v2.13 (20080719):

  • Added the ability to password-protect pages without using PHP at all (i.e. for servers without PHP, or whose PHP installations are crippled by means of virtual() and exec() being disabled).  See the new $PREF{protected_pages_directory} setting.
  • (Prefs file updated.)

v2.12 (20080714):

  • When sending script-based emails (email verification for new signups, admin notifications, etc) we now try both sendmail & SMTP if one of them fails, rather than reporting the failure of the first one and not trying the second.  The vast majority of servers either use 'localhost' as an SMTP server, or have /usr/sbin/sendmail set up to send email, so by trying both, we make it extremely likely that the default configuration will work without the user having to adjust any settings.  (This is a regression bugfix; it was always supposed to work this way, but changes in v2.05 broke it.)

v2.11 (20080714):

  • On servers without a reasonable PHP installation (i.e. no PHP, or with PHP but the virtual() and exec() functions disabled), we can still be "embedded" into another page by displaying our output wrapped in a customized HTML template.  In previous versions, this was done by creating a header HTML file and a footer HTML file; now it's simplified to a single template HTML file.  The result and the output are identical, but this means that people using WYSIWYG applications to create/edit their websites can do that as they normally would, even for the page we're embedded in.  See the new $PREF{encodable_app_template_file} setting.
  • (Prefs file updated.)

v2.10 (20080611):

  • New setting $PREF{columns_hidden_by_default_on_user_manager}, so that the "Manage Users" page is more narrow by default, so that it doesn't overflow the side of the page on narrower layouts.  Of course all columns can still always be toggled on/off in realtime when viewing the page.
  • (Prefs file updated.)

v2.09 (20080520):

  • We now interpolate some settings progressively as the prefs file is loaded, so that for example %PREF{DOCROOT} can be used within the values of other prefs in the prefs file.  This simplifies some of the default pref values and makes it easier to define/adjust some prefs which have similar values.
  • Replaced the few hard-coded 0777 and 0666 values with prefs, so that on servers that support more restrictive (and more secure) values like 0755 and 0644 (or even 0700 and 0600), they can be used.

(more changelogs coming soon)

v2.05 (20080209):

  • UserBase now supports paid accounts with payments through PayPal.
  • The user form -- for signups, editing accounts, and creating new accounts (by admin) -- is now fully template-based and thus fully customizable.
  • The default values for the webmaster & script email addresses are now single strings with a generic domain name that must be changed, instead of being formed from the server variable for the site's actual domain name, because that was confusing a lot of people.
  • New setting to allow users to automatically be added to groups upon signup ($PREF{automatically_add_new_signups_to_these_groups}).
  • The "logging out; click here to continue" page now uses inline Javascript to automatically redirect the user to the logout page.
  • Renamed the "UserBase" footer link to "My Account".
  • The settings that allow us to automatically redirect a user to another page upon login/logout/etc can now be set on a per-group basis, not just for member & admin as before.
  • Added some CSS for alternative stylings for the login form, though the default style is the same as before.
  • During installation, once we've created the random default admin account, we display a message at the top of every page explaining how to log in with that account, until the webmaster deletes that setup file from the server.  Previously, we just displayed such a message one time (when the account was first created), so some users were then unsure what to do later on when presented with the initial login form.
  • We no longer use a separate table for pending accounts.  This greatly simplifies portions of the code, and resolves a few bugs related to creating and approving pending accounts, particularly when custom fields are involved.
  • In our email-sending routine, when something goes wrong, we now die_nice() instead of just die()ing, so the output is nicer.
  • We now use Javascript redirection in situations where server-side redirection is not possible.
  • Refactoring to unify shared code with other Encodable apps.
  • (Prefs file updated.)

v2.04 (20080119):

  • In the status output that we display when another script calls us from the command line, we now include the userid of the logged-in user.

v2.03 (20071203):

  • The user management page now shows pending accounts with links to approve or delete them.  Previously, the only way to approve or delete a pending account was to click the link in the email that was sent to the webmaster.
  • The user management page now shows a count of active and pending accounts.
  • The $PREF{usernames_are_immutable_once_created} and $PREF{groupnames_are_immutable_once_created} settings have been removed from the prefs file, because changing usernames or groupnames after they've been created tends to have unintended consequences down the road.
  • Small adjustments to the prefs-loading code, including moving it to its own function.
  • Bugfix for edge-case errors in pending account approval.
  • (Prefs file updated.)

v2.02 (20071106):

  • The DBI database connection string is now an adjustable setting, so that users of non-MySQL databases such as PostgreSQL can change it without having to modify the actual CGI code.  (Prefs file updated; new pref is $PREF{dbi_connection_string}.)
  • Improved error messages in a couple of places.
  • Bugfix: using the subgroup-manager feature and the username-is-email-address feature at the same time did not work, because groupnames weren't allowed to contain "@", ".", etc.  Groupnames are now allowed to contain anything that usernames can contain.

v2.01 (20070925):

  • When loading prefs, we now try userbase_prefs.cgi as a fallback, in case ${scriptname}_prefs.cgi does not exist, or in case the site has multiple instances of the script with different names, and wants a common set of base PREFs to apply to all of them.

v2.00 (20070923):

  • The prefs filename is no longer hard-coded as userbase_prefs.cgi; instead it's ${scriptname}_prefs.cgi.  This is so that if you rename your userbase.cgi to something else like login.cgi, then you can (must) also rename your prefs file to login_prefs.cgi.
  • New setting $PREF{forced_logout_link}, which templatizes some HTML that was previously hard-coded.  (Prefs file updated.)

Older Changelog Items

Shopping Cart

Client Quotes

Do you know how rare it is to have a "canned" shopping cart that can easily do complex pricing options on a single item?  Basically, they don't exist!  I have looked.  Everywhere!  And the few that might even come close to CornerStore's functionality cost a fortune!
– Tashina P.
I just wanted to say that yours is the first product that I've tested so far that hasn't failed on handling uploads.  This is going to work for a print company, so they are handling nothing but large files and all the other solutions I've tried so far have not been reliable.  So far yours has been 100% successful in my tests.
– Kevin H.
Why didn't I just do this from the get-go?  So much easier.  Thanks for your work.  FileChucker makes my work easier.
– Dominic M.
Our members think your software is fantastic...  I would recommend your software and your company to anyone.  Thanks for all your help.  It has been a pleasure dealing with you.
– Tommy A.
FileChucker is a great drop-in solution for file uploads, and worth every penny of its very reasonable cost.  Encodable's support is excellent to boot.
– Loren A.
You've done a wonderful job with FileChucker and UserBase, and they have made a big difference to how our website runs.
– Nicholas H.
The work, the thought and the organization you put into this app is incredible.
– Bruce C.
FileChucker is helping drive the backend of several high profile entertainment sites for people like Shania Twain and Dolly Parton.  We're also using it to drive backend file uploads for a multi-billion dollar banking institution.  It's a great product.  We've tried other "chucking" upload solutions with progress bars using flash and php, but nothing works as reliably as FileChucker.
– Michael W.
Thanks again for a great product and great support - beyond expectations.
– Greg S.
Just one word: Fantastic.  10-minute job to plug FileChucker into my app, and it now works a treat.  It's through the hard work by people like yourselves that make my job so much easier.  Congratulations on an outstanding product... Many many thanks.
– Sean F.
Nice script, it's saving the day on our project.
– Aaron W.
I looked all over trying to find a simple cgi script.  I found that FileChucker was by far the best.  If you have issues with your hosting service's php.ini max upload size then this is the way to go.  Looking forward to future enhancements.
– Bob C.
I just want to say you guys really stand alone in that you have a quality product and you provide genuine customer service.  It's sad but those qualities are seldom found separately, much less together.  Thanks again for your time and help.
– Alex S.
Thank you VERY much for all of your help.  You've really impressed me.  We have support agreements for other software that costs thousands of dollars / year (just for the support), and most of them aren't as helpful as you have been.
– Keith Y.
The amount of customization in the program is incredible.  I was able to integrate it into my existing page layout relatively simply.  I was also able to easily customize the look/feel to match the current site.
– Jason M.
I just installed the demo of your product and got it up and running in no time.  I searched high and low for a decent login script and thank God I found yours.
– Adrian F.
FileChucker is working great...  Clients love it.  Vendors love it.  We love it.
– Gerry W.
I want to thank you for your efforts on Userbase. It has become an integral part of our business and has allowed us to branch out and begin using automation on a lot of our processes. Userbase has become the gateway to advancement for our company's processes for our clients and employees.