Difference between revisions of "Draft:Config.php"
m (→Enabling/Disabling data caching) |
m (→X-Cart security keys) |
||
(9 intermediate revisions by the same user not shown) | |||
Line 166: | Line 166: | ||
</pre> | </pre> | ||
− | The constant '''CHECK_CUSTOMERS_INTEGRITY''' defines whether admin profiles in xcart_customers should be checked for authenticity to prevent their malicious faking and stealing. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option enabled (set to '''TRUE''') at all times. | + | The constant '''CHECK_CUSTOMERS_INTEGRITY''' defines whether admin and (X-Cart PLATINUM) provider profiles in the xcart_customers table should be checked for authenticity to prevent their malicious faking and stealing. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option enabled (set to '''TRUE''') at all times. |
===Checking the authenticity of Social login admin profiles in xcart_xauth_user_ids=== | ===Checking the authenticity of Social login admin profiles in xcart_xauth_user_ids=== | ||
Line 173: | Line 173: | ||
</pre> | </pre> | ||
− | The constant '''CHECK_XAUTH_USER_IDS_INTEGRITY''' defines whether [[X-Cart:X-Social_Login_(ex_Janrain_Engage)_module | Social login]] admin and (X-Cart PLATINUM | + | The constant '''CHECK_XAUTH_USER_IDS_INTEGRITY''' defines whether [[X-Cart:X-Social_Login_(ex_Janrain_Engage)_module | Social login]] admin and (X-Cart PLATINUM) provider profiles in the xcart_xauth_user_ids table should be checked for authenticity to prevent their malicious faking and stealing. The check ensures the integrity of the association between the Social login id of admin and provider users and their X-Cart user profiles. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option enabled (set to '''TRUE''') at all times. |
===Checking the authenticity of the password_reset_key field in xcart_reset_passwords=== | ===Checking the authenticity of the password_reset_key field in xcart_reset_passwords=== | ||
Line 186: | Line 186: | ||
</pre> | </pre> | ||
The constant '''CHECK_CONFIG_INTEGRITY''' defines whether critical config values stored in the xcart_config table should be checked for authenticity in order to prevent their malicious faking and stealing. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option enabled (set to '''TRUE''') at all times. | The constant '''CHECK_CONFIG_INTEGRITY''' defines whether critical config values stored in the xcart_config table should be checked for authenticity in order to prevent their malicious faking and stealing. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option enabled (set to '''TRUE''') at all times. | ||
− | + | The config values protected by '''CHECK_CONFIG_INTEGRITY''' are as follows: | |
+ | <pre> | ||
+ | 'site_administrator' => 'Site administrator email address', // without category | ||
+ | 'ip_register_codes' => 'List of IP addresses awaiting registration', // without category | ||
+ | 'allowed_ips' => 'Allowed IP addresses', // without category | ||
+ | 'xpc_allowed_ip_addresses' => 'IP addresses for X-Payments callbacks', // XPayments_Connector | ||
+ | 'smtp_server' => 'SMTP server', // Email | ||
+ | 'use_smtp' => 'Use SMTP server instead of internal PHP mailer', // Email | ||
+ | 'unallowed_request_notify' => 'Notify the site administrator by email if unallowed request to site occurs', // Email_Note | ||
+ | 'eml_login_error' => 'Login error notification to site administrator', // Email_Note | ||
+ | 'admin_sqlerror_notify' => 'Notify the site administrator about SQL errors in the store by email', // Email_Note | ||
+ | 'allow_ips' => 'Check if payment gateway response is coming from the IP\'s specified here (enter a comma separated list)', // Security | ||
+ | </pre> | ||
===Synchronizing user sessions of the primary store domain and additional domain aliases=== | ===Synchronizing user sessions of the primary store domain and additional domain aliases=== | ||
<pre> | <pre> | ||
Line 227: | Line 239: | ||
:* '''3''': Errors and notices are both displayed on the store pages and written to log files. | :* '''3''': Errors and notices are both displayed on the store pages and written to log files. | ||
By default the value of this variable is set to '''2'''. | By default the value of this variable is set to '''2'''. | ||
+ | |||
+ | ===X-Cart security keys=== | ||
+ | The variables $xc_security_key* are used to store X-Cart security keys that ensure the security of admin operations. These keys are involved in the generation of digital signatures used to ensure the authenticity of certain types of data stored in the database: | ||
+ | * '''$xc_security_key_session''': This key is used for the generation of signatures for admin and (X-Cart PLATINUM) provider user profiles, password reset keys, Social Login admin and (X-Cart PLATINUM) provider profiles and sessions. | ||
+ | * '''$xc_security_key_config''': This key is used for the generation of signatures for critical xcart_config values. | ||
+ | * '''$xc_security_key_general''': This key is used for X-Cart's X-Monitoring module. | ||
+ | Without the key no one will be able to recreate the signature of a database record, so no one will be able to fake a database record by substituting their own data. | ||
+ | Similarly to your store's $blowfish_key value, the values of $xc_security_key* variables must be unique per store and must be stored securely. To enhance the security of your store, it is recommended to periodically update the security keys by re-generating them. To re-generate your security keys, you only need to [[X-Cart:Advanced_Tools#Re-generate_the_Blowfish_Encryption_Key|re-generate your Blowfish key]]: the $xc_security_key* keys will be re-generated automatically along with the $blowfish_key value. |
Latest revision as of 15:43, 14 February 2013
Contents
- 1 Section marked "DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING"
- 1.1 Enabling/Disabling data caching
- 1.2 Setting the protection method for SQL/security and file changes from the Admin area
- 1.3 Binding the session id of admin user to IP address
- 1.4 Restricting access to Admin area by IP
- 1.5 Blocking IFRAME / FRAME calls
- 1.6 Setting the length for the list of unique form identifiers
- 1.7 Setting disallowed file types
- 1.8 Checking MD5 of compiled templates
- 1.9 Storing customers' checking account details
- 1.10 Checking the authenticity of admin profiles in xcart_customers
- 1.11 Checking the authenticity of Social login admin profiles in xcart_xauth_user_ids
- 1.12 Checking the authenticity of the password_reset_key field in xcart_reset_passwords
- 1.13 Checking the authenticity of critical config values in xcart_config
- 1.14 Synchronizing user sessions of the primary store domain and additional domain aliases
- 1.15 Enabling CURLOPT_INTERFACE setting for libcurl
- 1.16 Enabling HTTP 1.0 compatibility mode
- 1.17 Limiting the number of HTTPS redirects
- 1.18 Debug mode settings
- 1.19 X-Cart security keys
Section marked "DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING"
We strongly recommend you do not change any configuration settings that go below the line that says:
# DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS # YOU REALLY KNOW WHAT ARE YOU DOING
Editing the settings below this line requires profound knowledge of X-Cart architecture. Tampering with these settings may cause considerable damage to your store.
Below are some notes on the contents of this section: &&&&&
$x_time_threshold = 4; $x_mem_threshold = 4194304;
&&&&&
mysql_autorepair = true;
Enabling/Disabling data caching
define('USE_DATA_CACHE', true);
The constant USE_DATA_CACHE defines whether your store should use data caching.
When enabled, you store's cache includes the following data:
- active modules
- setup_images
- charsets
- payments for which https is enabled
- sql requests
- sql_tables_fields
- sql_vars
Also, the results of the following functions are cached:
- get_categories_tree
- get_language_vars
- get_offers_categoryid
- get_schemes
- get_default_fields
- test_active_bouncer
- tpl_get_xcart_news
- get_xcart_paid_modules
The possible values for the USE_DATA_CACHE constant are:
- true: Data caching is enabled.
- false: Data caching is disabled.
By default the value is set to true. Changing the value to false is reasonable only if you experience problems using the store with caching enabled (e.g. if you keep getting error messages about files in the /var/cache directory of your X-Cart installation).
define('DATA_CACHE_TTL', 24*3600);
The constant DATA_CACHE_TTL defines how often your store's cache should be re-generated. By default the value is set to 24*3600, which means that cache will be re-generated every 24 hours.
define('USE_SQL_DATA_CACHE', false);
The constant USE_SQL_DATA_CACHE defines whether your store should cache the results of heavy database queries. Enabling this type of caching is not recommended in the development period - while you are still adding new products to the store's catalog and making a lot of changes via the store's administration back end. However, when your store is ready to go live (so you won't be making many changes), enabling this option is recommended to enhance your store's performance. Note that we do not guarantee compatibility of this feature with 3rd party add-on modules.
define('SQL_DATA_CACHE_TTL', 3600);
The constant DATA_CACHE_TTL defines how often your store's SQL data cache should be re-generated.
Setting the protection method for SQL/security and file changes from the Admin area
const PROTECT_DB_AND_PATCHES = 'ip';
const PROTECT_ESD_AND_TEMPLATES = 'ip';
The constants PROTECT_DB_AND_PATCHES and PROTECT_ESD_AND_TEMPLATES define whether the store should use protection against unauthorized SQL/security and file operations from the Admin area and set the type of protection method to be used:
- PROTECT_DB_AND_PATCHES applies to SQL/security and upgrade/patch operations performed via X-Cart's Admin area.
- PROTECT_ESD_AND_TEMPLATES applies to upload of distribution files for ESD products and the 'Edit templates' feature.
The possible values for these constants are:
- 'ip': Access to the protected pages is allowed only from specific IP addresses.
- 'file': (Strongly recommended) Access to the protected pages is allowed only after creating a special file in the var/tmp folder. Using this value provides the highest level of security.
- FALSE: (Not recommended) Protection for SQL/Security and file operations from the Admin area is disabled.
Binding the session id of admin user to IP address
const PROTECT_XID_BY_IP = 'mask';
The constant PROTECT_XID_BY_IP defines whether the session id of admin user should be locked to the IP address from which this session originated. The possible values are (from high security level to low):
- 'ip': (Strongly recommended) The session id of admin user is locked to a specific IP address. Using this value provides the highest level of security. For example, 192.168.31.40.
- 'secure_mask': The session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated. For example, 192.168.31.*. Using this value provides medium to high level of security.
- 'mask': The session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated. For example, 192.168.*.*. Using this value provides medium to low level of security.
- FALSE: (Not recommended) Binding of admin user session id to his IP address is disabled. You may want to use this value if admin is going to work via two or more ISPs alternating all the time.
Note that, if the value of PROTECT_XID_BY_IP at your store is set to 'ip', in rare cases (namely, if your ISP changes your IP address too often, like every few seconds) you may experience problems logging in to the Admin area. If this happens, consider switching to 'secure_mask'/'mask' or disable binding of admin user session IDs to IP addresses altogether by setting the value of PROTECT_XID_BY_IP to FALSE.
Restricting access to Admin area by IP
const BLOCK_UNKNOWN_ADMIN_IP = FALSE;
The constant BLOCK_UNKNOWN_ADMIN_IP (in X-Cart versions prior to 4.5.5 known as SECURITY_BLOCK_UNKNOWN_ADMIN_IP) defines whether the store's user access control functionality is enabled. This functionality prevents usage of your store's back-end from IP addresses unknown to the system. The possible values are:
- TRUE: User access control functionality is enabled; the Admin area can be accessed only from the IP address specified in the value of the ADMIN_ALLOWED_IP constant (see below).
- FALSE: User access control functionality is disabled; the Admin area can be accessed from any IP address.
By default the value of this constant is set to FALSE. For more information, see the section User Access Control.
const ADMIN_ALLOWED_IP = '';
The constant ADMIN_ALLOWED_IP (in X-Cart versions prior to 4.5.5 known as $admin_allowed_ip) specifies the IP addresses from which access to the Admin area should be allowed. You can leave the value empty for unrestricted access or provide a comma separated list of trusted IP addresses to allow access only from these IP addresses.
For example:
- Unrestricted access:
ADMIN_ALLOWED_IP = '';
- Access is allowed only from IP 192.168.0.1 and 127.0.0.1:
ADMIN_ALLOWED_IP = "192.168.0.1, 127.0.0.1";
Blocking IFRAME / FRAME calls
const FRAME_NOT_ALLOWED = FALSE;
The constant FRAME_NOT_ALLOWED defines whether IFRAME / FRAME calls should be allowed for X-Cart. You may want to forbid calling X-Cart in IFRAME / FRAME tags to prevent attacks in which the attacker displays X-Cart through a frame and, using web browser vulnerabilities, intercepts the information being entered in it. The possible values for this constant are TRUE and FALSE. If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can set the value of this constant to TRUE to enhance security. By default the value of this constant is set to FALSE.
Setting the length for the list of unique form identifiers
const FORM_ID_ORDER_LENGTH = 100;
The constant FORM_ID_ORDER_LENGTH sets the length for the list of unique form identifiers.
A unique form identifier ensures that a form is valid and serves as a protection from CSRF (cross-site request forgery) attacks. For each user session, the system generates an ordered list of unique identifiers and assigns them to every X-Cart’s page opened by the user which contains a submittable HTML form designed for sending input data using the POST method. These identifiers are intended to ensure the authenticity of every single form: every time the user makes an attempt to submit a form, X-Cart checks whether the form identifier is on the list. If it is, the form is considered genuine (i.e. generated by X-Cart during the current session) and, thus, safe for sending input data. If the identifier is missing from the list, the form is treated as suspicious, and no input data can be submitted through it.
The number of identifiers in the list corresponds to the value of the FORM_ID_ORDER_LENGTH constant. By default the value is set to 100. It means that for every section the list can contain no more than 100 unique identifiers, and at any given time X-Cart will treat no more than 100 forms as genuine. If the number of forms opened by the user during one section exceeds the value defined by FORM_ID_ORDER_LENGTH, X-Cart will remove from the list the earliest identifiers and replace them with new identifiers for the recently opened forms.
By editing the value of the FORM_ID_ORDER_LENGTH constant you can increase or decrease the number of forms that will be concurrently considered genuine. If FORM_ID_ORDER_LENGTH is not declared or is set to a non-numeric value or a value smaller than 1, its value will be automatically set to 100.
Setting disallowed file types
const DISALLOWED_FILE_EXTS = 'phtml, phar, php5, php4, php3, php, pl, cgi, asp, exe, com, bat, pif, htaccess';
The constant DISALLOWED_FILE_EXTS specifies the file types disallowed for upload. Here disallowed file extensions should be specified as a comma separated list.
Checking MD5 of compiled templates
const COMPILED_TPL_CHECK_MD5 = TRUE;
The constant COMPILED_TPL_CHECK_MD5 defines whether MD5 checking should be used for compiled templates. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option enabled (set to TRUE) for better store protection if your store is installed in a shared hosting environment. If you are not using a shared hosting service and are sure that the other users of your hosting service provider cannot gain access to your store's files, it is recommended to disable this option (set this constant to FALSE) to improve your store's performance.enables/disables the functionality of checking the MD5 checksums of compiled templates for better store protection in a shared hosting environment. By default the value of this constant is set to TRUE.
Storing customers' checking account details
const STORE_CHECKING_ACCOUNTS = FALSE;
The constant STORE_CHECKING_ACCOUNTS (formerly $store_ch) defines whether your customers' checking account details should be stored in the database. This includes:
- Bank account number;
- Bank routing number;
- Fraction number.
If Direct Debit is used, Account owner name is stored instead of Fraction number. The possible values for this constant are:
- TRUE: X-Cart stores your customers' checking account details in the order details.
- FALSE: X-Cart does not store your customers' checking account details anywhere.
Checking the authenticity of admin profiles in xcart_customers
const CHECK_CUSTOMERS_INTEGRITY = TRUE;
The constant CHECK_CUSTOMERS_INTEGRITY defines whether admin and (X-Cart PLATINUM) provider profiles in the xcart_customers table should be checked for authenticity to prevent their malicious faking and stealing. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option enabled (set to TRUE) at all times.
Checking the authenticity of Social login admin profiles in xcart_xauth_user_ids
const CHECK_XAUTH_USER_IDS_INTEGRITY = TRUE;
The constant CHECK_XAUTH_USER_IDS_INTEGRITY defines whether Social login admin and (X-Cart PLATINUM) provider profiles in the xcart_xauth_user_ids table should be checked for authenticity to prevent their malicious faking and stealing. The check ensures the integrity of the association between the Social login id of admin and provider users and their X-Cart user profiles. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option enabled (set to TRUE) at all times.
Checking the authenticity of the password_reset_key field in xcart_reset_passwords
const CHECK_RESET_PASSWORDS_INTEGRITY = TRUE;
The constant CHECK_RESET_PASSWORDS_INTEGRITY defines whether the password_reset_key field in the xcart_reset_passwords table should be checked for authenticity in order to prevent malicious faking and stealing of its contents. The check ensures the integrity of the association between a password reset key and the user for whom it was generated. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option enabled (set to TRUE) at all times.
Checking the authenticity of critical config values in xcart_config
const CHECK_CONFIG_INTEGRITY = TRUE;
The constant CHECK_CONFIG_INTEGRITY defines whether critical config values stored in the xcart_config table should be checked for authenticity in order to prevent their malicious faking and stealing. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option enabled (set to TRUE) at all times. The config values protected by CHECK_CONFIG_INTEGRITY are as follows:
'site_administrator' => 'Site administrator email address', // without category 'ip_register_codes' => 'List of IP addresses awaiting registration', // without category 'allowed_ips' => 'Allowed IP addresses', // without category 'xpc_allowed_ip_addresses' => 'IP addresses for X-Payments callbacks', // XPayments_Connector 'smtp_server' => 'SMTP server', // Email 'use_smtp' => 'Use SMTP server instead of internal PHP mailer', // Email 'unallowed_request_notify' => 'Notify the site administrator by email if unallowed request to site occurs', // Email_Note 'eml_login_error' => 'Login error notification to site administrator', // Email_Note 'admin_sqlerror_notify' => 'Notify the site administrator about SQL errors in the store by email', // Email_Note 'allow_ips' => 'Check if payment gateway response is coming from the IP\'s specified here (enter a comma separated list)', // Security
Synchronizing user sessions of the primary store domain and additional domain aliases
define('USE_SESSION_HISTORY', true);
The constant USE_SESSION_HISTORY defines whether the functionality for synchronizing user sessions of the primary store domain and additional domain aliases should be enabled. The possible values for this constant are true and false. The value of this constant must be set to true if you use domain aliases for the Customer area of your store and wish to be able to simultaneously work both with the Admin and Customer areas without losing your current user session.
Enabling CURLOPT_INTERFACE setting for libcurl
define('USE_CURLOPT_INTERFACE', false);
The constant USE_CURLOPT_INTERFACE enables the functionality that forces the use of the CURLOPT_INTERFACE setting for the libcurl https module. This setting is required by some payment gateways. Example error text: "Information received from an Invalid IP address. (INVALID)" Take a look at the page http://www.php.net/manual/en/function.curl-setopt.php#CURLOPT_INTERFACE for the description of the CURLOPT_INTERFACE setting.
Enabling HTTP 1.0 compatibility mode
define('HTTP_1_0_COMPATIBILITY_MODE', false);
The constant HTTP_1_0_COMPATIBILITY_MODE can be used to enable the HTTP 1.0 protocol for requests sent by X-Cart to external services in case of problems with HTTP 1.1 requests. The possible values for this constant are true and false.
Limiting the number of HTTPS redirects
$https_redirect_limit = 20;
The variable $https_redirect_limit sets a limit for the number of redirects from HTTP to HTTPS. When this limit is reached, X-Cart supposes that the HTTPS part of the store does not work and stops trying to redirect to the HTTPS part. If the value of the variable is not a number or is less than zero, redirection will happen every time.
Debug mode settings
$debug_mode = 3;
The variable $debug_mode defines X-Cart's error tracking behavior. The possible values for this variable are:
- 0: Error tracking is disabled.
- 1: Errors and notices are displayed on the store pages (For SQL errors, execution of the script is stopped).
- 2: Errors and notices are written to log files (var/log/x-errors_*.php); no debug info is displayed on the store pages.
- 3: Errors and notices are both displayed on the store pages and written to log files.
By default the value of this variable is set to 2.
X-Cart security keys
The variables $xc_security_key* are used to store X-Cart security keys that ensure the security of admin operations. These keys are involved in the generation of digital signatures used to ensure the authenticity of certain types of data stored in the database:
- $xc_security_key_session: This key is used for the generation of signatures for admin and (X-Cart PLATINUM) provider user profiles, password reset keys, Social Login admin and (X-Cart PLATINUM) provider profiles and sessions.
- $xc_security_key_config: This key is used for the generation of signatures for critical xcart_config values.
- $xc_security_key_general: This key is used for X-Cart's X-Monitoring module.
Without the key no one will be able to recreate the signature of a database record, so no one will be able to fake a database record by substituting their own data. Similarly to your store's $blowfish_key value, the values of $xc_security_key* variables must be unique per store and must be stored securely. To enhance the security of your store, it is recommended to periodically update the security keys by re-generating them. To re-generate your security keys, you only need to re-generate your Blowfish key: the $xc_security_key* keys will be re-generated automatically along with the $blowfish_key value.