Difference between revisions of "X-Cart:Security Profiles"

From X-Cart 4 Classic
Jump to: navigation, search
m
m
Line 2: Line 2:
  
 
In X-Cart versions 4.5.5 and later, during X-Cart installation you can choose a security profile for your store. The two available options are '''Evaluation/Playground''' and '''Live store'''.
 
In X-Cart versions 4.5.5 and later, during X-Cart installation you can choose a security profile for your store. The two available options are '''Evaluation/Playground''' and '''Live store'''.
The store administrator selects the required security profile at the step [[X-Cart:Installing_X-Cart_Using_the_Installation_Wizard#Preparing to install X-Cart database | Preparing to install X-Cart database]] of X-Cart's web installation:
+
The store administrator selects the security profile at the step '''[[X-Cart:Installing_X-Cart_Using_the_Installation_Wizard#Preparing to install X-Cart database | Preparing to install X-Cart database]]''' of X-Cart's web installation:
[[File:Security_profile.png|border]]
+
[[File:Security_profile.png|border]]  
  
The '''Live store''' security profile provides some security restrictions:
+
The '''Live store''' security profile is a combination of security options that ensure a higher level of security for your store's data in production mode. This includes:
- protected mode ON
+
# Enabled 'ip'-based protection mode for security-sensitive operations performed via X-Cart's Admin area:
const PROTECT_DB_AND_PATCHES = 'ip';
+
#* SQL/security and upgrade/patch operations,
const PROTECT_ESD_AND_TEMPLATES = 'ip';
+
#* file operations (upload of distribution files for ESD products) and template editing.
- session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated
+
# Enabled session protection mechanism ensuring that the session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated; this significantly reduces the possibility of a valid session being hijacked by an unauthorized person.
const PROTECT_XID_BY_IP = 'mask';
+
In practice, when you choose the '''Live store''' security profile during X-Cart's installation, the values of a few security related constants in X-Cart's configuration file <u>config.php</u> are updated to reflect the following:
 +
 
 +
const PROTECT_DB_AND_PATCHES = 'ip';
 +
const PROTECT_ESD_AND_TEMPLATES = 'ip';
 +
const PROTECT_XID_BY_IP = 'mask';
  
 
const PROTECT_DB_AND_PATCHES - admin/db_backup.php
 
const PROTECT_DB_AND_PATCHES - admin/db_backup.php
Line 21: Line 25:
 
live
 
live
  
const PROTECT_DB_AND_PATCHES = 'ip';
+
const PROTECT_DB_AND_PATCHES = 'ip';
const PROTECT_ESD_AND_TEMPLATES = 'ip';
+
const PROTECT_ESD_AND_TEMPLATES = 'ip';
const PROTECT_XID_BY_IP = 'mask';
+
const PROTECT_XID_BY_IP = 'mask';
  
 
test
 
test
  
const PROTECT_DB_AND_PATCHES = FALSE;
+
const PROTECT_DB_AND_PATCHES = FALSE;
const PROTECT_ESD_AND_TEMPLATES = FALSE;
+
const PROTECT_ESD_AND_TEMPLATES = FALSE;
const PROTECT_XID_BY_IP = FALSE;
+
const PROTECT_XID_BY_IP = FALSE;
  
  

Revision as of 22:00, 28 January 2013

Under construction

In X-Cart versions 4.5.5 and later, during X-Cart installation you can choose a security profile for your store. The two available options are Evaluation/Playground and Live store. The store administrator selects the security profile at the step Preparing to install X-Cart database of X-Cart's web installation: Security profile.png

The Live store security profile is a combination of security options that ensure a higher level of security for your store's data in production mode. This includes:

  1. Enabled 'ip'-based protection mode for security-sensitive operations performed via X-Cart's Admin area:
    • SQL/security and upgrade/patch operations,
    • file operations (upload of distribution files for ESD products) and template editing.
  2. Enabled session protection mechanism ensuring that the session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated; this significantly reduces the possibility of a valid session being hijacked by an unauthorized person.

In practice, when you choose the Live store security profile during X-Cart's installation, the values of a few security related constants in X-Cart's configuration file config.php are updated to reflect the following:

const PROTECT_DB_AND_PATCHES = 'ip'; const PROTECT_ESD_AND_TEMPLATES = 'ip'; const PROTECT_XID_BY_IP = 'mask';

const PROTECT_DB_AND_PATCHES - admin/db_backup.php CHANGE_SECURITY_OPTIONS PATCH_FILES, PATCH_SQL UPGRADE

const PROTECT_ESD_AND_TEMPLATES - Edit templates,FILE_OPERATIONS (Egoods)

live

const PROTECT_DB_AND_PATCHES = 'ip'; const PROTECT_ESD_AND_TEMPLATES = 'ip'; const PROTECT_XID_BY_IP = 'mask';

test

const PROTECT_DB_AND_PATCHES = FALSE; const PROTECT_ESD_AND_TEMPLATES = FALSE; const PROTECT_XID_BY_IP = FALSE;


If you need to change the previously chosen security profile, re-run X-Cart's Installation Wizard with the option Update config only enabled, or simply edit your store's file config.php to readjust the values of the constants PROTECT_DB_AND_PATCHES, PROTECT_ESD_AND_TEMPLATES and PROTECT_XID_BY_IP manually.