INSTRUCTIONS FOR DaDaBIK 5.1 BASIC ******************************* File /include/config.php add: // secret_key: a long (60+ characters), random and complicated phrase which is used to sign authentication cookies for this application and therefore improve authentication security; you don't need to remember this phrase // please note that in order to benefit from this security mechanism you must choose a different secret_key for each DaDaBIK application you create and you must keep this value secret $secret_key = ''; File /include/common_start.php change this: if ($dbms_type != "" && $db_name != "" && $site_url != "" && $site_path != "" && $timezone != "" && ($host != "" && $user != "" || $dbms_type === 'sqlite' || $dbms_type === 'sqlite2')) { with: if ($secret_key !== '' && !is_null($secret_key) && $dbms_type != "" && $db_name != "" && $site_url != "" && $site_path != "" && $timezone != "" && ($host != "" && $user != "" || $dbms_type === 'sqlite' || $dbms_type === 'sqlite2')) { change this: echo "

[01] Error: please specify host, username, database name, site url, site path and timezone in config.php. If you use sqlite host and username are not needed."; with: echo "

[01] Error: please specify host, username, database name, site url, site path, timezone and secret_key in config.php. If you use sqlite host and username are not needed."; File /include/business_logic.php, function get_user_infos_ar_from_username_password change this: global $conn, $users_table_name, $users_table_username_field, $users_table_password_field, $quote, $prefix_internal_table, $generate_portable_password_hash, $enable_granular_permissions, $users_table_id_field, $groups_table_id_field, $users_table_id_group_field; with: global $conn, $users_table_name, $users_table_username_field, $users_table_password_field, $quote, $prefix_internal_table, $generate_portable_password_hash, $enable_granular_permissions, $users_table_id_field, $groups_table_id_field, $users_table_id_group_field, $secret_key; add $user_infos_ar['secret'] = md5($user_infos_ar['username_user'].$secret_key); after: $user_infos_ar['username_user'] = $row[$users_table_username_field]; there are two instances of $user_infos_ar['username_user'] = $row[$users_table_username_field]; do the above operation for both the instances. File /include/check_login.php change this if ( !isset($_SESSION['logged_user_infos_ar']) ) { with if ( !isset($_SESSION['logged_user_infos_ar']) || $_SESSION['logged_user_infos_ar']['secret'] !== md5($_SESSION['logged_user_infos_ar']['username_user'].$secret_key)) { INSTRUCTIONS FOR DaDaBIK 5.0 BASIC ******************************* Instructions for DaDaBIK 5.1 BASIC should be perfectly adaptable to 5.0, contact the support if you find difficulties INSTRUCTIONS FOR DaDaBIK 4.x ******************************* Follow the instructions for DaDaBIK 5.1 BASIC, you might find differences in the code but you should easily guess what to do; contact the support if you find difficulties. One of the difference is that in business_logic.php you should find $user_infos_ar['username_user'] = $row[$users_table_username_field]; just once. The patch should work for DaDaBIK 4.x, even if it has not been tested.