Elgg uses a simple version of pluggable authentication modules (PAM). The default authentication module uses the username and password available from the ElggUser class and stored in the database. Additional authentication modules can be registered through plugins.

See: /engine/lib/pam.php and pam_auth_userpass() in /engine/lib/sessions.php

There are several types of caches in Elgg. There are memory caches for database queries and loaded objects to reduce the number of database queries. Views can be cached to files to skip the generation of frequently used views like the CSS view. There is also experimental support for memcache. The caching code is spread throughout the engine libraries.

See: /engine/lib/cache.php, /engine/lib/memcache.php, and any of the data model files.

The database username, password, and hostname are stored in /engine/settings.php. Other configuration settings are stored in the database. Elgg supports system-wide settings through its data list functions and site-specific settings through its configuration functions.

See: /engine/lib/configuration.php and the config database table for site settings and the datalists database table for installation settings.

Elgg provides its own logging function: elgg_log(). This function works in concert with the debug mode in the site settings. The debug mode parameter sets the trace level to control the amount of information logged. Elgg supports logging to PHP's error log or to the screen. Additional destinations can be set through a plugin hook.

User actions are logged to the database through the system log functions. There are two plugins for working with the log: logbrowser and logrotate.

Elgg also overrides PHP's default logging and exception handling with functions in elgglib.php.

See: /engine/lib/elgglib.php and /engine/lib/system_log.php.

Elgg includes its own library for client-side JavaScript and Ajax functionality built on top of jQuery. It is designed to be extensible with plugins able to create their own namespaced objects (see /mod/embed/views/default/js/embed/embed.php for an example of that). The library supports submitting to Elgg actions via Ajax, displaying status messages, and custom client-side events.

See: /js/ and /views/default/js/

Elgg has many menus. Site-wide navigation, avatar drop-down menus, and a footer menu are just a few examples. All of the menus are created using a single API. This API supports static menus, context-specific menus, custom templates, and hierarchical menus. A valuable resource for understanding the menu system is a series of articles posted on the Elgg blog. They can be found by visiting http://blog.elgg.org and searching for "menu".

See: /engine/lib/navigation.php and /views/default/navigation/menu/

Private settings are similar to metadata and are used for storing settings for plugins and users.

See: /engine/lib/private_settings.php

Search is provided through a plugin that uses MySQL's free text search capabilities. There is a readme file in the plugin's directory that provides an overview of the plugin and how to extend it.

See: /mod/search/

A wide range of topics fits under the heading of security. This section highlights Elgg's security against cross-site scripting (XSS), cross-site request forgeries (CSRF), and SQL injection attacks. User-submitted input passes through the get_input() function, which filters the data. The filtering occurs through a plugin hook that the htmlawed plugin handles. The action system uses a token-based approach to CSRF attacks. SQL injection protection is provided by escaping parameters during query generation. More detailed information is available on the Elgg wiki.

Elgg uses PHP's session handling and stores the session data in the database. A session contains the user object for the logged in user, which is accessed through the function elgg_get_logged_in_user_entity().

See: /engine/lib/sessions.php

Elgg uses the SimpleTest framework for its unit tests. The unit tests are run through the diagnostics plugin. Plugins can add unit tests by registering a callback for the 'unit_test', 'system' plugin hook.

See: /engine/tests/ and /vendors/simpletest/

A REST/RPC hybrid web services API is included with Elgg. It enables sites to expose a custom web services API. These web services can be used for building desktop and mobile applications, integrating with third party applications, or creating mashups with other websites.

See: /engine/lib/api.php

Elgg has a simple widget framework. By default, widgets are available on users' profiles and dashboards. They are easy to create and there are tutorials in Chapter 8 and on the Elgg wiki for building them.

See: /engine/lib/widgets.php