Difference between revisions of "X-Cart:Config.php"

From X-Cart 4 Classic
Jump to: navigation, search
(X-Cart HTTP & HTTPS host and web directory)
m (Blocking IFRAME / FRAME calls: FRAME_NOT_ALLOWED)
 
(48 intermediate revisions by 4 users not shown)
Line 1: Line 1:
X-Cart’s main configuration file config.php is located in the X-Cart root directory. config.php is a plain text file which keeps global definitions and directives for the installed copy of the X-Cart software. The values of the variables inside the config.php file must be edited very carefully, because these settings affect the general operating capability of your store.
+
X-Cart’s main configuration file config.php is located in the X-Cart root directory. config.php is a plain text file which keeps global definitions and directives for the installed copy of [https://www.x-cart.com your X-Cart shopping cart software]. The values of the variables inside the config.php file must be edited very carefully, because these settings affect the general operating capability of your store.
  
 
The instructions below aim at helping you understand what each of the variables answers for, so that you could configure your store correctly.
 
The instructions below aim at helping you understand what each of the variables answers for, so that you could configure your store correctly.
Line 7: Line 7:
 
<pre>
 
<pre>
 
$sql_host =’%SQL_HOST%’;
 
$sql_host =’%SQL_HOST%’;
 +
$sql_db =’%SQL_DB%’;
 
$sql_user =’%SQL_USER%’;
 
$sql_user =’%SQL_USER%’;
$sql_db =’%SQL_DB%’;
 
 
$sql_password =’%SQL_PASSWORD%’;
 
$sql_password =’%SQL_PASSWORD%’;
 
</pre>
 
</pre>
  
This section contains variables which keep the details of the MySQL database that you use for your X-Cart based store. X-Cart uses the values of these variables to connect to the database. If the variables contain incorrect values, X-Cart will not be able to connect to the database and open any of the store pages. Instead, you will see an error message saying that X-Cart cannot connect to the MySQL server.
+
This section configures a connection between X-Cart and your MySQL database.
 +
 
 +
If X-Cart is installed using Web installation, the variables of this section are configured in the Installation Wizard. If you install X-Cart manually, or if your MySQL server information changes after X-Cart installation, this section should be edited to provide database access details.
 +
 
 +
The variables defined in this section are the following:
 +
 
 +
* $sql_host: The DNS name or the IP-address of your MySQL server (and, optionally, socket).
 +
* $sql_db: The name of your MySQL database.
 +
* $sql_user: The username for your MySQL user account.
 +
* $sql_password: The password for your MySQL user account.
  
With automatic installation via the Installation Wizard, you do not need to modify the values of these variables, because the installation script writes the new values of the variables according to the information that you provide at the third step of the Installation Wizard (Step 3: Preparing to install X-Cart database).
+
Since X-Cart version 4.5.0, this section also contains the following variables:
 +
<pre>
 +
$sql_charset ='utf8';
 +
$sql_collation ='utf8_general_ci';
 +
</pre>
  
However, if you install X-Cart manually, you need to edit the values of the variables and provide correct access information for the database and the database server. You may also need to edit the values of these variables when you transfer/copy your store to a different server or when your MySQL server details change.
+
* $sql_charset - The character set used by the store's database. By default, the value of this variable is 'utf8'.
 +
* $sql_collation - The collation (set of rules for comparing characters in the character set) used by the store's database. By default, the value of this variable is 'utf8_general_ci'.
  
The variables in this section correspond to:
+
In multi-language stores, the charset and collation specified here will be used for all the supported languages.
 +
 
 +
By changing the values of the $sql_charset and $sql_collation variables, you can configure your store to use a different charset and a different collation. However, please note that, after X-Cart has been installed, the value of the $sql_charset variable should not be changed without actually converting the database. If you wish to change the charset used by your store, you need to convert your database to the required charset BEFORE changing the value of the $sql_charset variable in <u>config.php</u>. The instructions for converting the database to use a different charset are available here:  [[X-Cart:FAQs#How_do_I_set_up_my_X-Cart_to_support_UTF-8.3F |  X-Cart FAQs: How do I set up my X-Cart to support UTF-8?]]
 +
 
 +
The value of the $sql_collation variable can be changed at any time to any collation supported by your charset.  To list the collations available for your charset, use the SHOW COLLATION statement with the LIKE clause. For example, to see the collations for the latin1 (cp1252 West European) character set, use this statement to find those collation names that begin with latin1:
 +
<pre>
 +
SHOW COLLATION LIKE '%latin1%';
 +
</pre>
  
* $sql_host: The DNS name or the IP-address of your MySQL server (and, optionally, socket);
+
For more information about Character Sets and Collations, see manuals at http://dev.mysql.com/.
* $sql_user: The username for your MySQL user account;
 
* $sql_db: The name of your MySQL database;
 
* $sql_password: The password for your MySQL user account.
 
  
 
===X-Cart HTTP & HTTPS host and web directory===
 
===X-Cart HTTP & HTTPS host and web directory===
  
 
<pre>
 
<pre>
$xcart_http_host =$HTTP_HOST”;
+
$xcart_http_host ="$_SERVER[HTTP_HOST]";
$xcart_https_host =$HTTP_HOST”;
+
$xcart_https_host ="$_SERVER[HTTP_HOST]";
 
$xcart_web_dir =”/xcart”;
 
$xcart_web_dir =”/xcart”;
 
</pre>
 
</pre>
  
This section contains variables which keep the information about the physical location of the X-Cart files. X-Cart uses the values of these variables to correctly address the scripts, templates and other X-Cart files. If the variables contain incorrect values, X-Cart will not be able to display pages correctly.
+
This section contains variables which keep the information about the physical location of the X-Cart files. X-Cart uses the values of these variables to correctly address the scripts, [https://market.x-cart.com/ecommerce-templates/ templates] and other X-Cart files. If the variables contain incorrect values, X-Cart will not be able to display pages correctly.
  
 
With automatic installation via the Installation Wizard, you do not need to modify the values of these variables, because the installation script writes the new values to the variables according to the information that you provide at the third step of the Installation Wizard (Step 3: Preparing to install X-Cart database).
 
With automatic installation via the Installation Wizard, you do not need to modify the values of these variables, because the installation script writes the new values to the variables according to the information that you provide at the third step of the Installation Wizard (Step 3: Preparing to install X-Cart database).
Line 107: Line 125:
 
It is also possible that you use domain aliases for your store; however, your store visitors will be redirected to the primary domain if they open the store through an alias. For example, if the store is installed to a domain name example.com which has an alias www.example.com, store visitors will be redirected to http://example.com even if they open in their browsers http://www.example.com.
 
It is also possible that you use domain aliases for your store; however, your store visitors will be redirected to the primary domain if they open the store through an alias. For example, if the store is installed to a domain name example.com which has an alias www.example.com, store visitors will be redirected to http://example.com even if they open in their browsers http://www.example.com.
  
===Storing Customers’ Credit Card Info===
+
===Storing Customers’ credit card info, CVV2 and checking account details===
 
+
{{Note1|'''Important:''' Starting with X-Cart version 4.5.0, X-Cart does not collect or store cardholder data, so the variables '''$store_cc''' and '''$store_cvv2''' are no longer availabe in config.php. The below description of these variables pertains to earlier X-Cart versions in which these variables are available.}}
 +
{{XC versions|from=4.0|to=4.5}}
 +
<br />
 
<pre>
 
<pre>
 
$store_cc = false;
 
$store_cc = false;
 
</pre>
 
</pre>
  
The variable $store_cc allows you to define whether you wish to keep your customers' credit card information in the store database or not.
+
The variable $store_cc defines whether your customers' credit card information should be stored in the database. This includes:
 
 
{{Note1|This variable must be set to true in case you enable 'Subscription' module or 'Credit Card' off-line payment method (manual credit card processing) in the 'Payment methods' section.}}
 
 
 
Customers provide their credit card details at the checkout. This info includes:
 
 
 
 
* cardholder’s name;
 
* cardholder’s name;
 
* card type;
 
* card type;
Line 126: Line 141:
 
* card issue number (for certain types of cards).
 
* card issue number (for certain types of cards).
  
The two possible values for the $store_cc variable are ‘true’ and ‘false’. By default the variable is set to ‘false’. It means that X-Cart does not keep in its database any credit card info that your customers provide when paying for products with their credit cards.
+
The possible values for the $store_cc variable are 'true' and 'false'. By default the variable is set to 'false', which means that X-Cart does not store in its database any credit card info that your customers provide when paying for products with their credit cards (all the info goes directly to the payment gateway). The variable must be set to 'true' if you wish to use X-Cart's '[[X-Cart:Subscriptions | Subscriptions]]' module or the 'Credit Card' offline payment method (manual credit card processing).
 
 
{{Note1|This variable must be set to true in case you enable 'Subscription' module or 'Credit Card' off-line payment method (manual credit card processing) in the 'Payment methods' section.}}
 
 
 
In this case, your customers' credit card info goes directly to the payment gateway which then processes the payment and sends the money to your merchant account. This way of accepting credit card payments online is common practice these days, because it allows you not to pay special attention to the advanced secure environment which is a must when it comes to keeping sensitive credit card info.  Besides, keeping credit card info in a store database is not recommended by the major credit card authorities like VISA and MasterCard, because this task requires high security level of the environment that is used to operate the store (including servers and local computers) which can hardly be ensured by an individual or a medium-size business. Remember: when keeping credit card info in the store database, any possible vulnerability of the environment may result in data theft and potentially involves legal liability.
 
 
 
However, if your business model supposes keeping credit card info and you have adequate resources to ensure the required security level, you can allow X-Cart to keep credit card info in its database by changing the value of the variable $store_cc to 'true'. Or you can leave the value of the variable as 'false' and consider an alternative way of taking credit card info of your customers.
 
 
 
Also, the variable $store_cvv2 must be set to 'true' if you are planning to use the Subscriptions module which introduces the ability to use recurring billing where money for certain products is automatically withdrawn from customer's credit cards at scheduled periods of time. For details on how to use the Subscriptions module, study section [[X-Cart:Subscriptions | Subscriptions]].
 
 
 
===Storing CVV2 codes===
 
  
 +
{{XC versions|from=4.0|to=4.5}}
 +
<br />
 
<pre>
 
<pre>
 
$store_cvv2 = false;
 
$store_cvv2 = false;
 
</pre>
 
</pre>
  
The variable $store_cvv2 allows you to define whether you wish to keep CVV2 codes of your customers’ credit cards in the store database or not.
+
The variable $store_cvv2 defines whether CVV2 codes of your customers’ credit cards should be stored in the database.
  
The two possible values for the $store_cvv2 variable are ‘true’ and ‘false’. By default the variable is set to ‘false’. It means that X-Cart does not keep in its database the CVV2 codes that your customers provide when paying for products with their credit cards.
+
The possible values for the $store_cvv2 variable are 'true' and 'false'. By default the variable is set to 'false', which means that X-Cart does not store in its database any credit card info that your customers provide when paying for products with their credit cards (all the info goes directly to the payment gateway). The variable must be set to 'true' if you wish to use X-Cart's '[[X-Cart:Subscriptions | Subscriptions]]' module or the 'Credit Card' offline payment method (manual credit card processing).
 
 
In this case, the CVV2 codes go directly to the payment gateway which then processes the payment and sends the money to your merchant account. This way of accepting credit card payments online is common practice these days, because it allows you not to pay special attention to the advanced secure environment which is a must when it comes to keeping sensitive credit card info including CVV2 codes. Besides, keeping CVV2 codes (especially with the other credit card info) in a store database is not recommended by the major credit card authorities like VISA and MasterCard, because this task requires high security level of the environment that is used to operate the store (including servers and  local computers) which can hardly be ensured by an individual or a medium-size business. Remember: when keeping credit card info (including CVV2 codes) in the store database, any possible vulnerability of the environment may result in data theft and potentially involves legal liability.
 
 
 
However, if your business model supposes keeping CVV2 codes and you have adequate resources to ensure the required security level, you can allow X-Cart to keep the codes in its database by changing the value of the variable $store_cvv2 to 'true'. Or you can leave the value of the variable as 'false' and consider an alternative way of taking CVV2 codes of your customers' credit cards.
 
 
 
Also, the variable $store_cvv2 must be set to 'true' if you are planning to use the Subscriptions module which introduces the ability to use recurring billing where money for certain products is automatically withdrawn from customer's credit cards at scheduled periods of time. For details on how to use the Subscriptions module, study section [http://www.x-cart.com/xcart_manual/online/subscriptions.htm Subscriptions] further in this manual.
 
 
 
===Storing Customers’ Checking Account Details===
 
  
 +
{{Note1|'''Important:''' The variable $store_ch was removed in X-Cart 4.5.5; however, storing customer's checking account details can still be configured. Please refer to the constant STORE_CHECKING_ACCOUNTS in XCSecurity class (see [[#Storing customers' checking account details | below]]).}}
 +
{{XC versions|from=4.0|to=4.5}}
 
<pre>
 
<pre>
 
$store_ch = false;
 
$store_ch = false;
 
</pre>
 
</pre>
  
The variable $store_ch allows you to define whether you wish to keep your customers' checking account details in the store database or not. Customers provide their checking account details at the checkout. This info includes:
+
The variable $store_ch define whether your customers' checking account details should be stored in the database.
 
 
* bank account number;
 
* bank routing number;
 
* fraction number.
 
 
 
The two possible values for the $store_ch variable are ‘true’ and ‘false’. By default the variable is set to ‘false’. It means that X-Cart does not keep in its database the checking account details that your customers provide when paying for the products with their personal checks.
 
 
 
In this case, the checking account details go directly to the payment gateway which then processes the payment and sends the money to your merchant account. This way of accepting credit card payments online is common practice these days, because it allows you not to pay special attention to the advanced secure environment which is a must when it comes to keeping sensitive data including checking account details. Along with keeping credit card details, keeping checking account details also requires high security level of the environment that is used to operate the store (including servers and  local computers) which can hardly be ensured by an individual or a medium-size business. Remember: when keeping checking account details in the store database, any possible vulnerability of the environment may result in data theft and potentially involves legal liability.
 
 
 
However, if your business model supposes keeping checking account details and you have adequate resources to ensure the required security level, you can allows X-Cart to keep this data in its database by changing the value of the variable $store_ch to 'true'. Or you can leave the value of the variable as 'false' and consider an alternative way of taking checking account details from your customers.
 
  
 
===Default images===
 
===Default images===
Line 194: Line 185:
 
If you wish to use a different HTML page, you can either replace the default image file with a different file having the same name or change the value of the variable  $shop_closed_file and specify the path to the HTML page and page filename.
 
If you wish to use a different HTML page, you can either replace the default image file with a different file having the same name or change the value of the variable  $shop_closed_file and specify the path to the HTML page and page filename.
  
===Single Store mode (X-Cart PRO only)===
+
===Single Store mode (X-Cart PLATINUM and PRO)===
  
 
<pre>
 
<pre>
Line 200: Line 191:
 
</pre>
 
</pre>
  
The variable $single_mode allows you to enable/disable the Single Store mode if your store is based on X-Cart PRO. The Single Store mode is an operating mode which represents your X-Cart PRO based store as a unified environment shared by multiple providers who can edit the products of other store providers. When the Single Store mode is enabled, shipping rates, discounts and discount coupons, taxes and other settings and components are the same for all the store providers.
+
The variable $single_mode allows you to enable/disable the Single Store mode if your store is based on X-Cart PLATINUM or PRO. The Single Store mode is an operating mode which represents your X-Cart PLATINUM or PRO based store as a unified environment shared by multiple providers who can edit the products of other store providers. When the Single Store mode is enabled, shipping rates, discounts and discount coupons, taxes and other settings and components are the same for all the store providers.
  
 
The two possible values for the $single_mode variable are ‘true’ and ‘false’. Setting the value to ‘true’ enables the Single Store mode. Setting the value to ‘false’ restores the normal mode where your store providers can control their products only and can have their own shipping rates, discounts, taxes, etc.
 
The two possible values for the $single_mode variable are ‘true’ and ‘false’. Setting the value to ‘true’ enables the Single Store mode. Setting the value to ‘false’ restores the normal mode where your store providers can control their products only and can have their own shipping rates, discounts, taxes, etc.
  
Note: If your store is based on X-Cart GOLD, the value of $single_mode must always be set to ‘true’. Changing the value to ‘false’ will not turn your X-Cart GOLD into X-Cart PRO.
+
Note: If your store is based on X-Cart GOLD or GOLD PLUS, the value of $single_mode must always be set to ‘true’. Changing the value to ‘false’ will not turn your X-Cart GOLD or GOLD PLUS into X-Cart PLATINUM/PRO.
  
 
You should only change the value of the $single_mode variable before any products, destination zones, shipping and tax rates are configured in the store. If you try to change the value of this variable after some providers have adjusted their settings, these settings will be corrupted.
 
You should only change the value of the $single_mode variable before any products, destination zones, shipping and tax rates are configured in the store. If you try to change the value of this variable after some providers have adjusted their settings, these settings will be corrupted.
 +
 +
See also: [[X-Cart:Simple_Mode|Simple Mode]]
  
 
===FedEx Rates directory===
 
===FedEx Rates directory===
 
+
This feature was removed in X-Cart 4.1.0 beta and is not available in later versions.
 +
<br />
 +
<br />
 
<pre>
 
<pre>
 
$fedex_default_rates_dir = $xcart_dir.”/shipping/FedEx/”;
 
$fedex_default_rates_dir = $xcart_dir.”/shipping/FedEx/”;
Line 219: Line 214:
  
 
<pre>
 
<pre>
$log_dir = /log”;
+
$var_dirs['log'] = $xcart_dir . '/var/log';
 
</pre>
 
</pre>
  
The variable $log_dir keeps the location of the directory with the X-Cart log files. By default the value of this variable is set to '/log'. The '/' sign means that the log directory is located inside the X-Cart root directory.
+
The variable $var_dirs['log'] defines the location of the directory where X-Cart log files are stored.
  
 
===Cache directory===
 
===Cache directory===
  
 
<pre>
 
<pre>
$data_cache_dir = /cache”;
+
$var_dirs['cache'] = $xcart_dir.'/var/cache';
 +
$var_dirs['smarty_cache'] = $var_dirs['cache'] . '/smarty_cache';
 +
$var_dirs['search_cache'] = $var_dirs['cache'] . '/search_cache';
 +
$var_dirs['product_cache'] = $var_dirs['cache'] . '/product_cache';
 +
$var_dirs_web['cache'] = '/var/cache';
 
</pre>
 
</pre>
  
The variable $data_cache_dir keeps the location of the directory with the X-Cart cache files. By default the value of this variable is set to '/cache'. The '/' sign means that the cache directory is located inside the X-Cart root directory.
+
The variable $var_dirs['cache'] defines the location of the directory where X-Cart cache files are stored.
  
 
===Export directory===
 
===Export directory===
  
$export_dir = $log_dir;
+
<pre>
 +
$export_dir = $var_dirs['tmp'];
 +
</pre>
  
The variable $export_dir keeps the location of the directory to which X-Cart exports CSV files with data. By default the value of this variable is set to '$log_dir' where $log_dir means the directory with the X-Cart log files.
+
The variable $export_dir defines the location of X-Cart export directory (a directory on X-Cart server to which the CSV files of export packs are stored).
  
 
===Correcting debug mode===
 
===Correcting debug mode===
Line 249: Line 250:
  
 
<pre>
 
<pre>
$use_session_length = 3600;
+
define('XCART_SESSION_LENGTH', 3600);
 
</pre>
 
</pre>
 +
(in versions prior to 4.5.3 used to be $use_session_length = 3600;)
  
 
Defines session duration, in seconds. Avoid setting too little values for this variable, as that may cause the malfunction of lengthy store procedures, such as HTML catalog generation and data import/export. The recommended is at least 3600.
 
Defines session duration, in seconds. Avoid setting too little values for this variable, as that may cause the malfunction of lengthy store procedures, such as HTML catalog generation and data import/export. The recommended is at least 3600.
  
===Restricting access to Admin area by IP===
+
===Section marked "DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING"===
 +
 
 +
We strongly recommend you do not change any configuration settings that go below the line that says:
  
 
<pre>
 
<pre>
$admin_allowed_ip = '';
+
# DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS
 +
# YOU REALLY KNOW WHAT ARE YOU DOING
 
</pre>
 
</pre>
  
Comma-separated list of IP addresses, allowed to access the Admin area. Leave empty for unrestricted access or list addresses that are allowed to access the Admin area.
+
Editing the settings below this line requires profound knowledge of the X-Cart architecture. Tampering with these settings may cause considerable damage to your store.
  
'''Example:'''
+
Below are some notes on the contents of this section.
  
Access unrestricted:
+
===Automatic repair of broken indexes in mySQL tables===
 +
<pre>
 +
$mysql_autorepair = true;
 +
</pre>
  
 +
The value of the variable $mysql_autorepair defines whether in case of SQL errors like the following:
 
<pre>
 
<pre>
$admin_allowed_ip = '';
+
Table 'xcart_table_name' is marked as crashed and should be repaired
 +
Incorrect key file for table 'xcart_table_name'. try to repair it
 +
Old key file for table 'xcart_table_name'. repair it.
 
</pre>
 
</pre>
 +
X-Cart should automatically try to repair the possibly corrupted tables using the SQL statement REPAIR TABLE (http://dev.mysql.com/doc/refman/5.1/en/repair-table.html).
  
Access allowed only to users from IP addresses 192.168.0.1 and 127.0.0.1:
+
===Enabling/Disabling data caching===
 +
<pre>
 +
define('USE_DATA_CACHE', true);
 +
</pre>
 +
 
 +
The constant '''USE_DATA_CACHE''' defines whether your store should use data caching.
 +
 
 +
When enabled, you store's cache includes the following data:
 +
:* active modules
 +
:* setup_images
 +
:* charsets
 +
:* payments for which https is enabled
 +
:* sql requests
 +
:* sql_tables_fields
 +
:* sql_vars
 +
 
 +
Also, the results of the following functions are cached:
 +
:* get_categories_tree
 +
:* get_language_vars
 +
:* get_offers_categoryid
 +
:* get_schemes
 +
:* get_default_fields
 +
:* test_active_bouncer
 +
:* tpl_get_xcart_news
 +
:* get_xcart_paid_modules
 +
 
 +
The possible values for the '''USE_DATA_CACHE''' constant are:
 +
:* '''true''': Data caching is enabled.
 +
:* '''false''': Data caching is disabled.
 +
By default the value is set to '''true'''. Changing the value to '''false''' is reasonable only if you experience problems using the store with caching enabled (e.g. if you keep getting error messages about files in the <u>/var/cache</u> directory of your X-Cart installation).
 +
 
 +
<pre>
 +
define('DATA_CACHE_TTL', 24*3600);
 +
</pre>
 +
The constant '''DATA_CACHE_TTL''' defines how often your store's cache should be re-generated. By default the value is set to 24*3600, which means that cache will be re-generated every 24 hours.
 +
 
 +
<pre>
 +
define('USE_SQL_DATA_CACHE', false);
 +
</pre>
 +
The constant '''USE_SQL_DATA_CACHE''' defines whether your store should cache the results of heavy database queries. Enabling this type of caching is not recommended in the development period - while you are still adding new products to the store's catalog and making a lot of changes via the store's administration back end. However, when your store is ready to go live (so you won't be making many changes), enabling this option is recommended to enhance your store's performance. Note that we do not guarantee compatibility of this feature with 3rd party add-on modules.
  
 
<pre>
 
<pre>
$admin_allowed_ip = "192.168.0.1, 127.0.0.1";
+
define('SQL_DATA_CACHE_TTL', 3600);
 
</pre>
 
</pre>
 +
The constant '''DATA_CACHE_TTL''' defines how often your store's SQL data cache should be re-generated.
  
===Section marked "DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING"===
+
===Enabling Protected mode for security sensitive operations performed via the store's back end===
 +
<pre>
 +
const PROTECT_DB_AND_PATCHES = 'ip';
 +
</pre>
 +
<pre>
 +
const PROTECT_ESD_AND_TEMPLATES = 'ip';
 +
</pre>
 +
The constants '''PROTECT_DB_AND_PATCHES''' and '''PROTECT_ESD_AND_TEMPLATES''' define whether protection against unauthorized access to security-sensitive operations via the store's back end should be used and allow you to choose the protection method.
 +
 
 +
:* '''PROTECT_DB_AND_PATCHES''' applies to SQL/security and upgrade/patch operations performed via X-Cart's Admin area including the following:
 +
::* admin/db_backup.php - operations of creating a backup of your store's database and restoring the database from backup via the 'Database Backup/Restore' page in Admin area;
 +
::* CHANGE_SECURITY_OPTIONS - changing any settings on the General settings/Security options page (Settings->General settings->Security) in Admin area;
 +
::* PATCH_FILES, PATCH_SQL - Apply Patch and Apply SQL patch operations via the Patch/Upgrade center page (Tools->Patch/Upgrade) in Admin area;
 +
::* UPGRADE - Upgrade operations via the Patch/Upgrade center page (Tools->Patch/Upgrade) in Admin area;
 +
::* ADD_ALLOWED_ADMIN_IP - adding allowed IP addresses via the 'Allowed IP addresses' section on the User access control page (Tools menu -> Maintenance -> "See also" tab (right-side menu) -> User access control) in Admin area;
 +
::* CHANGE_ALLOWED_ADMIN_IP - editing the list of allowed IP addresses  via the 'Allowed IP addresses' section;
 +
::* IMPORT_ADMIN_PROFILES, MANAGE_ADMIN_PROFILES - import and modification of admin user profiles;
 +
::* MANAGE_SYSTEM_FINGERPRINTS / MANAGE_XMONITORING_FILES / MANAGE_LOGS
 +
 
 +
:* '''PROTECT_ESD_AND_TEMPLATES''' applies to:
 +
::* Edit templates - any operations via the Browse templates section in Admin and (X-Cart PLATINUM) Provider area;
 +
::* FILE_OPERATIONS - any operations via the Browse files section in Admin and (X-Cart PLATINUM) Provider area.
 +
 
 +
The possible values for these constants are:
 +
:* ''''ip'''': Access to the protected pages is allowed only from specific IP addresses ('ip'-based protection method).
 +
:* ''''file'''': (Strongly recommended) Access to the protected pages is allowed only after creating a special file in the <u>var/tmp</u> folder ('file'-based protection method). Using the 'file'-based protection method provides the highest level of security.
 +
:* '''FALSE''': (Not recommended) Protection is disabled.
 +
 
 +
For more information, see the section on [[X-Cart:Protected_Mode|Protected Mode]].
 +
 
 +
===Binding the session id of admin user to IP address===
 +
<pre>
 +
const PROTECT_XID_BY_IP = 'mask';
 +
</pre>
 +
The constant '''PROTECT_XID_BY_IP''' defines whether the session id of admin user should be locked to the IP address from which this session originated.
 +
The possible values are  (from high security level to low):
 +
:* ''''ip'''': (Strongly recommended) The session id of admin user is locked to a specific IP address. For example, 192.168.31.40. Using this value provides the highest level of security.
 +
:* ''''secure_mask'''': The session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated. For example, 192.168.31.*. Using this value provides medium to high level of security.
 +
:* ''''mask'''': The session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated. For example, 192.168.*.*. Using this value provides medium to low level of security.
 +
:* '''FALSE''': (Not recommended) Binding of admin user session id to his IP address is disabled. You may want to use this value if admin is going to work via two or more ISPs alternating all the time.
 +
Note that, if the value of '''PROTECT_XID_BY_IP''' at your store is set to ''''ip'''', in rare cases (namely, if your ISP changes your IP address too often, like every few seconds) you may experience problems logging in to the Admin area. If this happens, consider switching to ''''secure_mask''''/''''mask'''' or disable binding of admin user session IDs to IP addresses altogether by setting the value of '''PROTECT_XID_BY_IP''' to '''FALSE'''.
 +
 
 +
===Restricting access to the store's back end by IP===
 +
<pre>
 +
const BLOCK_UNKNOWN_ADMIN_IP = FALSE;
 +
</pre>
 +
The constant '''BLOCK_UNKNOWN_ADMIN_IP''' (in X-Cart versions prior to 4.5.5 known as '''SECURITY_BLOCK_UNKNOWN_ADMIN_IP''') defines whether the store's user access control functionality is enabled. This functionality prevents usage of your store's back-end from IP addresses that have not been approved by the store admin.
 +
The possible values are:
 +
:* '''TRUE''': User access control functionality is enabled; the store's back end can be accessed only from the IP addresses specified in the 'Allowed IP addresses' section in Admin area.
 +
:* '''FALSE''': User access control functionality is disabled; the store's back end can be accessed from any IP address.
 +
By default the value of this constant is set to '''FALSE'''.
 +
For more information, see the section [[X-Cart:User_Access_Control|User Access Control]].
 +
 
 +
<pre>
 +
const ADMIN_ALLOWED_IP = '';
 +
</pre>
 +
The constant '''ADMIN_ALLOWED_IP''' (in X-Cart versions prior to 4.5.5 known as '''$admin_allowed_ip''') specifies the IP addresses from which access to the store's back end should be allowed. You can leave the value empty for unrestricted access or provide a comma separated list of trusted IP addresses to allow access only from these IP addresses.<br />
 +
For example:<br />
 +
:* Unrestricted access:
 +
<pre>ADMIN_ALLOWED_IP = '';</pre>
 +
:* Access is allowed only from IP 192.168.0.1 and 127.0.0.1:
 +
<pre>ADMIN_ALLOWED_IP = "192.168.0.1, 127.0.0.1";</pre>
 +
 
 +
'''BLOCK_UNKNOWN_ADMIN_IP''' and '''ADMIN_ALLOWED_IP''' basically serve the same purpose: they fully block access to the store's back end for users whose IP address is not on the list of allowed IP addresses. However, these features use different sets of IP addresses: '''ADMIN_ALLOWED_IP''' stores IP addresses in the file <u>config.php</u>, whereas '''BLOCK_UNKNOWN_ADMIN_IP''' uses IP addresses stored in the database. In practice this means that '''ADMIN_ALLOWED_IP''' provides somewhat better protection than '''BLOCK_UNKNOWN_ADMIN_IP''', because a hacker is far less likely to get their hands on <u>config.php</u> than to try and insert their IP address into the list stored in the database.
 +
 
 +
Note that the list of IP addresses in '''ADMIN_ALLOWED_IP''' is the first place that X-Cart checks to determine whether a specific IP address is 'allowed': if the list of IP addresses in '''ADMIN_ALLOWED_IP''' is not empty, and the IP address being checked is not on that list, X-Cart will simply deny access to the user without even checking whether the IP address is contained in the list used by other IP-based methods of protection, like User access control functionality and Protected mode. This means that if you intend to use User access control functionality (BLOCK_UNKNOWN_ADMIN_IP = TRUE) or 'ip'-based Protected mode (BLOCK_UNKNOWN_ADMIN_IP = FALSE with PROTECT_DB_AND_PATCHES and/or PROTECT_ESD_AND_TEMPLATES set to 'ip'), you will need to either add everything from the list of allowed IP addresses in your database to the list of IP addresses stored in '''ADMIN_ALLOWED_IP''' as well, or disable the '''ADMIN_ALLOWED_IP''' feature altogether.
 +
 
 +
===Blocking IFRAME / FRAME calls===
 +
<div id="FRAME_NOT_ALLOWED"></div>
 +
 
 +
<pre>
 +
const FRAME_NOT_ALLOWED = FALSE;
 +
</pre>
 +
The constant '''FRAME_NOT_ALLOWED''' defines whether IFRAME / FRAME calls should be allowed for X-Cart. You may want to forbid calling X-Cart in IFRAME / FRAME tags to prevent attacks in which the attacker displays X-Cart through a frame and, using web browser vulnerabilities, intercepts the information being entered in it. The possible values for this constant are '''TRUE''' and '''FALSE'''. If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can set the value of this constant to '''TRUE''' to enhance security. By default the value of this constant is set to '''FALSE'''.
 +
 
 +
===Setting the length for the list of unique form identifiers===
 +
<pre>
 +
const FORM_ID_ORDER_LENGTH = 100;
 +
</pre>
 +
The constant '''FORM_ID_ORDER_LENGTH''' sets the length for the list of unique form identifiers.
 +
 
 +
A unique form identifier ensures that a form is valid and serves as a protection from CSRF (cross-site request forgery) attacks. For each user session, the system generates an ordered list of unique identifiers and assigns them to every X-Cart’s page opened by the user which contains a submittable HTML form designed for sending input data using the POST method. These identifiers are intended to ensure the authenticity of every single form: every time the user makes an attempt to submit a form, X-Cart checks whether the form identifier is on the list. If it is, the form is considered genuine (i.e. generated by X-Cart during the current session) and, thus, safe for sending input data. If the identifier is missing from the list, the form is treated as suspicious, and no input data can be submitted through it.
 +
 
 +
The number of identifiers in the list corresponds to the value of the '''FORM_ID_ORDER_LENGTH''' constant. By default the value is set to 100. It means that for every section the list can contain no more than 100 unique identifiers, and at any given time X-Cart will treat no more than 100 forms as genuine. If the number of forms opened by the user during one section exceeds the value defined by '''FORM_ID_ORDER_LENGTH''', X-Cart will remove from the list the earliest identifiers and replace them with new identifiers for the recently opened forms.
 +
 
 +
By editing the value of the '''FORM_ID_ORDER_LENGTH''' constant you can increase or decrease the number of forms that will be concurrently considered genuine. If '''FORM_ID_ORDER_LENGTH''' is not declared or is set to a non-numeric value or a value smaller than 1, its value will be automatically set to 100.
  
We strongly recommend you do not change any configuration settings that go below the line that says:
+
===Setting disallowed file types===
 +
<pre>
 +
const DISALLOWED_FILE_EXTS =
 +
'phtml, phar, php5, php4, php3, php, pl, cgi, asp, exe, com, bat, pif, htaccess';
 +
</pre>
 +
The constant '''DISALLOWED_FILE_EXTS''' specifies the file types disallowed for upload. Here disallowed file extensions should be specified as a comma separated list.
  
 +
===Checking MD5 of compiled templates===
 
<pre>
 
<pre>
# DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS
+
const COMPILED_TPL_CHECK_MD5 = FALSE;
# YOU REALLY KNOW WHAT ARE YOU DOING
 
 
</pre>
 
</pre>
 +
The constant '''COMPILED_TPL_CHECK_MD5''' defines whether MD5 verification should be used for compiled templates. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option disabled (set to '''FALSE''') to avoid negative effect on the store's performance. The only exceptions to this recommendation are:
 +
:# when you are on a shared hosting, and other users of this hosting have write permissions to the var/templates_c directory of your X-Cart installation.
 +
:# when you are not sure your hosting provides a high level of protection against viruses or may have other security vulnerabilities which may result in an intruder gaining write access to the var/templates_c directory.
 +
 +
Starting with X-Cart version 4.7.0, the value of the COMPILED_TPL_CHECK_MD5 constant has no effect on the store's operation.
  
Editing the settings below this line requires profound knowledge of the X-Cart architecture. Tampering with these settings may cause considerable damage to your store.
+
===Storing customers' checking account details===
 +
<pre>
 +
const STORE_CHECKING_ACCOUNTS = FALSE;
 +
</pre>
  
However, sometimes it may be critical to know what the constants of this section mean.
+
The constant '''STORE_CHECKING_ACCOUNTS''' (formerly '''$store_ch''') defines whether your customers' checking account details should be stored in the database. This includes:
 +
:* Bank account number;
 +
:* Bank routing number;
 +
:* Fraction number.
 +
If Direct Debit is used, Account owner name is stored instead of Fraction number.
 +
The possible values for this constant are:
 +
:* '''TRUE''': X-Cart stores your customers' checking account details in the order details.
 +
:* '''FALSE''': X-Cart does not store your customers' checking account details anywhere.
  
 +
===Checking the authenticity of admin profiles in xcart_customers===
 
<pre>
 
<pre>
define("USE_DATA_CACHE", true);
+
const CHECK_CUSTOMERS_INTEGRITY = TRUE;
 
</pre>
 
</pre>
  
This constant defines whether your store should use data caching or not. The two possible values for the USE_DATA_CACHE constant are 'true' and 'false'. By default the value is set to 'true'. It means that caching is enabled.
+
The constant '''CHECK_CUSTOMERS_INTEGRITY''' defines whether admin and (X-Cart PLATINUM) provider profiles in the xcart_customers table should be checked for authenticity to prevent their malicious faking and stealing. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option enabled (set to '''TRUE''') at all times.
  
Changing the value to 'false' is reasonable only if you experience problems in using the store with the enabled caching (e.g. if you keep getting error messages about the files in the /var/cache directory of your X-Cart installation).
+
===Checking the authenticity of Social login admin profiles in xcart_xauth_user_ids===
 +
<pre>
 +
const CHECK_XAUTH_USER_IDS_INTEGRITY = TRUE;
 +
</pre>
  
 +
The constant '''CHECK_XAUTH_USER_IDS_INTEGRITY''' defines whether [[X-Cart:X-Social_Login_(ex_Janrain_Engage)_module | Social login]] admin and (X-Cart PLATINUM) provider profiles in the xcart_xauth_user_ids table should be checked for authenticity to prevent their malicious faking and stealing. The check ensures the integrity of the association between the Social login id of admin and provider users and their X-Cart user profiles. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option enabled (set to '''TRUE''') at all times.
 +
 +
===Checking the authenticity of the password_reset_key field in xcart_reset_passwords===
 
<pre>
 
<pre>
define("SECURITY_BLOCK_UNKNOWN_ADMIN_IP", false);
+
const CHECK_RESET_PASSWORDS_INTEGRITY = TRUE;
 
</pre>
 
</pre>
 +
The constant '''CHECK_RESET_PASSWORDS_INTEGRITY''' defines whether the password_reset_key field in the xcart_reset_passwords table should be checked for authenticity in order to prevent malicious faking and stealing of its contents. The check ensures the integrity of the association between a password reset key and the user for whom it was generated. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option enabled (set to '''TRUE''') at all times.
  
This constant allows you to enable the functionality for blocking access to the Admin area of your store from unknown IP addresses. The two possible values for the SECURITY_BLOCK_UNKNOWN_ADMIN_IP constant are 'true' and 'false'. By default the value is set to 'false'. It means that the Admin area can be accessed from any IP address. Before changing the value of this constant, study section [http://www.x-cart.com/xcart_manual/online/user_access_control.htm User Access Control] further in this manual.
+
===Checking the authenticity of critical config values in xcart_config===
 +
<pre>
 +
const CHECK_CONFIG_INTEGRITY = TRUE;
 +
</pre>
 +
The constant '''CHECK_CONFIG_INTEGRITY''' defines whether critical config values stored in the xcart_config table should be checked for authenticity in order to prevent their malicious faking and stealing. The possible values for this constant are '''TRUE''' and '''FALSE'''. It is highly recommended to keep this option enabled (set to '''TRUE''') at all times.
 +
The config values protected by '''CHECK_CONFIG_INTEGRITY''' are as follows:
 +
<pre>
 +
'site_administrator' => 'Site administrator email address', // without category
 +
'ip_register_codes' => 'List of IP addresses awaiting registration', // without category
 +
'allowed_ips' => 'Allowed IP addresses', // without category
 +
'xpc_allowed_ip_addresses' => 'IP addresses for X-Payments callbacks', // XPayments_Connector
 +
'smtp_server' => 'SMTP server', // Email
 +
'use_smtp' => 'Use SMTP server instead of internal PHP mailer', // Email
 +
'unallowed_request_notify' => 'Notify the site administrator by email if unallowed request to site occurs', // Email_Note
 +
'eml_login_error' => 'Login error notification to site administrator', // Email_Note
 +
'admin_sqlerror_notify' => 'Notify the site administrator about SQL errors in the store by email', // Email_Note
 +
'allow_ips' => 'Check if payment gateway response is coming from the IP\'s specified here (enter a comma separated list)', // Security
 +
</pre>
  
 +
===Synchronizing user sessions of the primary store domain and additional domain aliases===
 
<pre>
 
<pre>
define("USE_SESSION_HISTORY", true);
+
define('USE_SESSION_HISTORY', true);
 
</pre>
 
</pre>
  
This constant allows you to enable the functionality for synchronizing user sessions of the primary store domain and additional domain aliases. The two possible values for the USE_SESSION_HISTORY constant are 'true' and 'false'.
+
The constant '''USE_SESSION_HISTORY''' defines whether the functionality for synchronizing user sessions of the primary store domain and additional domain aliases should be enabled. The possible values for this constant are '''true''' and '''false'''.
 +
The value of this constant must be set to '''true''' if you use domain aliases for the Customer area of your store and wish to be able to simultaneously work both with the Admin and Customer areas without losing your current user session.
  
The value of this constant must be set to 'true' if you use domain aliases for the Customer area of your store and wish to be able to simultaneously work both with the Admin and Customer areas without losing your current user session.
+
===Enabling CURLOPT_INTERFACE setting for libcurl===
 +
<pre>
 +
define('USE_CURLOPT_INTERFACE', false);
 +
</pre>
  
 +
The constant '''USE_CURLOPT_INTERFACE''' enables the functionality that forces the use of the CURLOPT_INTERFACE setting for the libcurl https module. This setting is required by some payment gateways. Example error text: "Information received from an Invalid IP address. (INVALID)"
 +
Take a look at the page http://www.php.net/manual/en/function.curl-setopt.php#CURLOPT_INTERFACE for the description of the CURLOPT_INTERFACE setting.
 +
 +
===Enabling HTTP 1.0 compatibility mode===
 
<pre>
 
<pre>
define("FORM_ID_ORDER_LENGTH", 100);
+
define('HTTP_1_0_COMPATIBILITY_MODE', false);
 
</pre>
 
</pre>
  
The FORM_ID_ORDER_LENGTH constant defines the length of a list with unique form identifiers which are used in X-Cart to protect the store against CSRF (cross-site request forgery) attacks.
+
The constant '''HTTP_1_0_COMPATIBILITY_MODE''' can be used to enable the HTTP 1.0 protocol for requests sent by X-Cart to external services in case of problems with HTTP 1.1 requests. The possible values for this constant are '''true''' and '''false'''.
 +
 
 +
===Limiting the number of HTTPS redirects===
 +
<pre>
 +
$https_redirect_limit = 20;
 +
</pre>
  
For each user session, the system generates an ordered list of unique identifiers and assigns them to every X-Cart’s page opened by the user which contains a submittable HTML form designed for sending input data using the POST method.
+
The variable '''$https_redirect_limit''' sets a limit for the number of redirects from HTTP to HTTPS. When this limit is reached, X-Cart supposes that the HTTPS part of the store does not work and stops trying to redirect to the HTTPS part. If the value of the variable is not a number or is less than zero, redirection will happen every time.
  
These identifiers are intended to ensure authenticity of every single form: each time the user is trying to submit a form, X-Cart checks whether the form identifier is in the list. If yes, the form is considered genuine (i.e. generated by X-Cart during the current session) and, thus, safe for sending input data. If the identifier is missing from the list, the form is treated as suspicious, and no input data can be submitted through it.
+
===Development mode and debug mode settings===
  
The number of identifiers in the list corresponds to the value of the FORM_ID_ORDER_LENGTH constant. By default the value is set to 100. It means that for every section the list can contain no more than 100 unique identifiers. And at one time X-Cart will consider as genuine no more than 100 forms. If the number of forms opened by the user during one section exceeds the value defined by FORM_ID_ORDER_LENGTH, X-Cart will remove from the list the earliest identifiers and replace them with new identifiers for the recently opened forms.
+
<pre>
 +
$debug_mode = 2;
 +
</pre>
  
By editing the value of the FORM_ID_ORDER_LENGTH constant you can increase or decrease the number of forms that will be concurrently considered as genuine. If the value is not declared or is less than 1 or is set to a non-numeric value, it will be automatically set to 100.
+
The variable '''$debug_mode''' defines X-Cart's error tracking behavior. The possible values for this variable are:
 +
:* '''0''': Error tracking is disabled.
 +
:* '''1''': Errors and notices are displayed on the store pages (For SQL errors, execution of the script is stopped).
 +
:* '''2''': Errors and notices are written to log files (var/log/x-errors_*.php); no debug info is displayed on the store pages.
 +
:* '''3''': Errors and notices are both displayed on the store pages and written to log files.
 +
The value of this variable should be set to '''2''' for production.
  
 
<pre>
 
<pre>
define("FRAME_NOT_ALLOWED", true);
+
define('DEVELOPMENT_MODE', 1);
 
</pre>
 
</pre>
  
This constant allows you to prohibit opening X-Cart in an iFrame. If the value of the FRAME_NOT_ALLOWED constant is set to 'true', the system will detect any attempt to open X-Cart in an iFrame and force to open it in a main window instead.
+
Enable this directive if you are a developer changing X-Cart source code.
 +
:* This directive enables function assertion http://php.net/assert
 +
:* This directive enables all php warnings/notices
 +
:* This directive should be disabled in production
 +
 
 +
We recommend the following settings for development:<br />$debug_mode = 3;<br />define('DEVELOPMENT_MODE', 1);
 +
 
 +
===X-Cart security keys===
 +
The variables $xc_security_key* are used to store X-Cart security keys that ensure the security of admin operations. These keys are involved in the generation of digital signatures used to ensure the authenticity of certain types of data stored in the database:
 +
* '''$xc_security_key_session''': This key is used for the generation of signatures for admin and (X-Cart PLATINUM) provider user profiles, password reset keys, Social Login admin and (X-Cart PLATINUM) provider profiles and sessions.
 +
* '''$xc_security_key_config''': This key is used for the generation of signatures for critical xcart_config values.
 +
* '''$xc_security_key_general''': This key is used for X-Cart's X-Monitoring module.
 +
Without the key no one will be able to recreate the signature of a database record, so no one will be able to fake a database record by substituting their own data.
 +
Similarly to your store's $blowfish_key value, the values of $xc_security_key* variables must be unique per store and must be stored securely. To enhance the security of your store, it is recommended to periodically update the security keys by re-generating them. To re-generate your security keys, you only need to [[X-Cart:Advanced_Tools#Re-generate_the_Blowfish_Encryption_Key|re-generate your Blowfish key]]: the $xc_security_key* keys will be re-generated automatically along with the $blowfish_key value.
  
 
===Section marked "NEVER CHANGE THE SETTINGS BELOW THIS LINE MANUALLY"===
 
===Section marked "NEVER CHANGE THE SETTINGS BELOW THIS LINE MANUALLY"===
Line 345: Line 561:
 
You must never edit variables in this section, because it will apparently destroy your store.
 
You must never edit variables in this section, because it will apparently destroy your store.
  
For example, this section contains the variable $blowfish_key. This variable keeps your store's Blowfish key that was automatically generated during the X-Cart installation. This key is used to encrypt and decrypt all the sensitive data in your store database including user passwords, credit card info, etc. Since the data in already encrypted, editing the value of the $blowfish_key variable manually will corrupt all user passwords (including the administrator password) and you want be able to use the store. You must also be aware of the fact that a lost Blowfish key cannot be restored, and the X-Cart Support team will not be able to help you regain access to your store if you remove or change the value of the $blowfish_key variable.
+
For example, this section contains the variable $blowfish_key, for example:
 +
 
 +
<pre>
 +
$blowfish_key = '8d5db63ada15e11643a0b1c3477c2c5c';
 +
</pre>
 +
 
 +
This variable keeps your store's Blowfish key that was automatically generated during the X-Cart installation. This key is used to encrypt and decrypt all the sensitive data in your store database including user passwords, credit card info, etc. Since the data in already encrypted, editing the value of the $blowfish_key variable manually will corrupt all user passwords (including the administrator password) and you want be able to use the store. You must also be aware of the fact that a lost Blowfish key cannot be restored, and the X-Cart Support team will not be able to help you regain access to your store if you remove or change the value of the $blowfish_key variable.
 +
 
 +
If for some reason you need to re-generate the Blowfish key generated during the installation, use the built-in X-Cart facility described in the [[X-Cart:Advanced_Tools#Re-generate_the_Blowfish_Encryption_Key | Re-generate the Blowfish Encryption Key]] section of this manual.
  
If for some reason you need to re-generate the Blowfish key generated during the installation, use the built-in X-Cart facility described in the [http://www.x-cart.com/xcart_manual/online/re_generate_the_blowfish_encryption_key.htm Re-generate the Blowfish Encryption Key] section of this manual.
+
==See also==
 +
* [[X-Cart:Blowfish|Blowfish]]
 +
* [[X-Cart:Security_Profiles|Security Profiles]]
 +
* [[X-Cart:User_Access_Control|User Access Control]]
  
 +
[[Category:X-Cart user manual]]
 +
[[Category:X-Cart developer guide]]
 +
[[Category:X-Cart user manual]]
 +
[[Category:X-Cart developer guide]]
 +
[[Category:X-Cart user manual]]
 +
[[Category:X-Cart developer guide]]
 
[[Category:X-Cart user manual]]
 
[[Category:X-Cart user manual]]
 
[[Category:X-Cart developer guide]]
 
[[Category:X-Cart developer guide]]

Latest revision as of 12:52, 15 March 2021

X-Cart’s main configuration file config.php is located in the X-Cart root directory. config.php is a plain text file which keeps global definitions and directives for the installed copy of your X-Cart shopping cart software. The values of the variables inside the config.php file must be edited very carefully, because these settings affect the general operating capability of your store.

The instructions below aim at helping you understand what each of the variables answers for, so that you could configure your store correctly.

Contents

SQL database details

$sql_host =’%SQL_HOST%’;
$sql_db =’%SQL_DB%’;
$sql_user =’%SQL_USER%’;
$sql_password =’%SQL_PASSWORD%’;

This section configures a connection between X-Cart and your MySQL database.

If X-Cart is installed using Web installation, the variables of this section are configured in the Installation Wizard. If you install X-Cart manually, or if your MySQL server information changes after X-Cart installation, this section should be edited to provide database access details.

The variables defined in this section are the following:

  • $sql_host: The DNS name or the IP-address of your MySQL server (and, optionally, socket).
  • $sql_db: The name of your MySQL database.
  • $sql_user: The username for your MySQL user account.
  • $sql_password: The password for your MySQL user account.

Since X-Cart version 4.5.0, this section also contains the following variables:

$sql_charset ='utf8';
$sql_collation ='utf8_general_ci';
  • $sql_charset - The character set used by the store's database. By default, the value of this variable is 'utf8'.
  • $sql_collation - The collation (set of rules for comparing characters in the character set) used by the store's database. By default, the value of this variable is 'utf8_general_ci'.

In multi-language stores, the charset and collation specified here will be used for all the supported languages.

By changing the values of the $sql_charset and $sql_collation variables, you can configure your store to use a different charset and a different collation. However, please note that, after X-Cart has been installed, the value of the $sql_charset variable should not be changed without actually converting the database. If you wish to change the charset used by your store, you need to convert your database to the required charset BEFORE changing the value of the $sql_charset variable in config.php. The instructions for converting the database to use a different charset are available here: X-Cart FAQs: How do I set up my X-Cart to support UTF-8?

The value of the $sql_collation variable can be changed at any time to any collation supported by your charset. To list the collations available for your charset, use the SHOW COLLATION statement with the LIKE clause. For example, to see the collations for the latin1 (cp1252 West European) character set, use this statement to find those collation names that begin with latin1:

SHOW COLLATION LIKE '%latin1%';

For more information about Character Sets and Collations, see manuals at http://dev.mysql.com/.

X-Cart HTTP & HTTPS host and web directory

$xcart_http_host ="$_SERVER[HTTP_HOST]";
$xcart_https_host ="$_SERVER[HTTP_HOST]";
$xcart_web_dir =”/xcart”;

This section contains variables which keep the information about the physical location of the X-Cart files. X-Cart uses the values of these variables to correctly address the scripts, templates and other X-Cart files. If the variables contain incorrect values, X-Cart will not be able to display pages correctly.

With automatic installation via the Installation Wizard, you do not need to modify the values of these variables, because the installation script writes the new values to the variables according to the information that you provide at the third step of the Installation Wizard (Step 3: Preparing to install X-Cart database).

However, if you install X-Cart manually, you need to edit the values of the variables and provide correct names of the host and the X-Cart root directory. You may also need to edit the values of these variables when you transfer/copy your store to a different server/location or when your change the DNS.

The variables in this section correspond to:

  • $xcart_http_host: The host name of the server on which X-Cart is installed.
  • $xcart_https_host: The host name of the secure server which provides access to X-Cart via the HTTPS protocol.
  • $xcart_web_dir: The web accessible directory of your server/hosting account where X-Cart files are located.

The variables $xcart_http_host and $xcart_https_host must contain host names only (no protocol prefixes ‘http://’ or ‘https://’, no trailing slashes). If you are not sure what the host name of your secure server is, contact your hosting team for help. In most cases the names of your secure and non-secure servers will be the same.

The name of your X-Cart directory must represent how the directory can be accessed from the Web, not from the file system. The general rule here is to put a slash before the name of the directory and no slash at the end (for example, /xcart). An exception applies to the situation when you install X-Cart to the WWW root. In this case you must leave the variable empty.

Example 1:

If the store URLs are:

http://www.example.com/xcart and http://www.securedirectories.com/example.com/xcart

the variables must have the following values:

$xcart_http_host ="www.example.com";
$xcart_https_host ="www.securedirectories.com/example.com";
$xcart_web_dir ="/xcart";

Example 2:

If the store URLs are:

http://www.example.com/ and https://www.example.com/

the variables must have the following values:

$xcart_http_host ="www.example.com";
$xcart_https_host ="www.example.com";
$xcart_web_dir ="";

Example 3:

If the store is installed on a test/dev server which is available by its IP address only, so the store URLs are:

http://50.110.101.234/ and https://50.116.101.234/

the variables must have the following values:

$xcart_http_host ="50.116.101.234";
$xcart_https_host ="50.116.101.234";
$xcart_web_dir ="";

Example 4:

If the store is installed on a local web-server and the store URLs are:

http://127.0.0.1/ and https://127.0.0.1/

the variables must have the following values:

$xcart_http_host ="127.0.0.1";
$xcart_https_host ="127.0.0.1";
$xcart_web_dir ="";

It is also possible that you use domain aliases for your store; however, your store visitors will be redirected to the primary domain if they open the store through an alias. For example, if the store is installed to a domain name example.com which has an alias www.example.com, store visitors will be redirected to http://example.com even if they open in their browsers http://www.example.com.

Storing Customers’ credit card info, CVV2 and checking account details

Important: Starting with X-Cart version 4.5.0, X-Cart does not collect or store cardholder data, so the variables $store_cc and $store_cvv2 are no longer availabe in config.php. The below description of these variables pertains to earlier X-Cart versions in which these variables are available.
X-Cart4.0-4.5


$store_cc = false;

The variable $store_cc defines whether your customers' credit card information should be stored in the database. This includes:

  • cardholder’s name;
  • card type;
  • card number;
  • "valid from" date (for certain types of cards);
  • expiration date;
  • card issue number (for certain types of cards).

The possible values for the $store_cc variable are 'true' and 'false'. By default the variable is set to 'false', which means that X-Cart does not store in its database any credit card info that your customers provide when paying for products with their credit cards (all the info goes directly to the payment gateway). The variable must be set to 'true' if you wish to use X-Cart's ' Subscriptions' module or the 'Credit Card' offline payment method (manual credit card processing).

X-Cart4.0-4.5


$store_cvv2 = false;

The variable $store_cvv2 defines whether CVV2 codes of your customers’ credit cards should be stored in the database.

The possible values for the $store_cvv2 variable are 'true' and 'false'. By default the variable is set to 'false', which means that X-Cart does not store in its database any credit card info that your customers provide when paying for products with their credit cards (all the info goes directly to the payment gateway). The variable must be set to 'true' if you wish to use X-Cart's ' Subscriptions' module or the 'Credit Card' offline payment method (manual credit card processing).

Important: The variable $store_ch was removed in X-Cart 4.5.5; however, storing customer's checking account details can still be configured. Please refer to the constant STORE_CHECKING_ACCOUNTS in XCSecurity class (see below).
X-Cart4.0-4.5
$store_ch = false;

The variable $store_ch define whether your customers' checking account details should be stored in the database.

Default images

$default_image = "default_image.gif";

The variable $default_image allows you to define what image file should be used as the default “No image available” placeholder. A placeholder here means the image that appears in place of any missing image in your store. The default value of the variable is “default_image.gif”. The image file default_image.gif is physically located in the X-Cart root directory.

Default image.gif

If you wish to use a different placeholder image, you can either replace the default image file with a different file having the same name or change the value of the variable $default_image and specify the path to the image file and the image filename.

Note: You can upload your own image placeholders for missing X-Cart images of different types (product thumbnails, product images, category icons, detailed images, variant images, manufacturer logos, product class images). You can do it through the Images location section of the Admin area.

$shop_closed_file = "shop_closed.html";

The variable $shop_closed_file allows you to define what HTML page should be displayed in place of the Customer area when you store is temporarily closed for visitors. The default value of this variable is "shop_closed.html". The HTML file is physically located in the X-Cart root directory.

Shop closed.gif

If you wish to use a different HTML page, you can either replace the default image file with a different file having the same name or change the value of the variable $shop_closed_file and specify the path to the HTML page and page filename.

Single Store mode (X-Cart PLATINUM and PRO)

$single_mode = true;

The variable $single_mode allows you to enable/disable the Single Store mode if your store is based on X-Cart PLATINUM or PRO. The Single Store mode is an operating mode which represents your X-Cart PLATINUM or PRO based store as a unified environment shared by multiple providers who can edit the products of other store providers. When the Single Store mode is enabled, shipping rates, discounts and discount coupons, taxes and other settings and components are the same for all the store providers.

The two possible values for the $single_mode variable are ‘true’ and ‘false’. Setting the value to ‘true’ enables the Single Store mode. Setting the value to ‘false’ restores the normal mode where your store providers can control their products only and can have their own shipping rates, discounts, taxes, etc.

Note: If your store is based on X-Cart GOLD or GOLD PLUS, the value of $single_mode must always be set to ‘true’. Changing the value to ‘false’ will not turn your X-Cart GOLD or GOLD PLUS into X-Cart PLATINUM/PRO.

You should only change the value of the $single_mode variable before any products, destination zones, shipping and tax rates are configured in the store. If you try to change the value of this variable after some providers have adjusted their settings, these settings will be corrupted.

See also: Simple Mode

FedEx Rates directory

This feature was removed in X-Cart 4.1.0 beta and is not available in later versions.

$fedex_default_rates_dir = $xcart_dir.”/shipping/FedEx/”;

The variable $fedex_default_rates_dir keeps the location of the directory with files which control correct calculation of the FedEx shipping rates. By default the value of this variable is set to '$xcart_dir.”/shipping/FedEx/”', where $xcart_dir means the X-Cart root directory.

Log directory

$var_dirs['log'] = $xcart_dir . '/var/log';

The variable $var_dirs['log'] defines the location of the directory where X-Cart log files are stored.

Cache directory

$var_dirs['cache'] = $xcart_dir.'/var/cache';
$var_dirs['smarty_cache'] = $var_dirs['cache'] . '/smarty_cache';
$var_dirs['search_cache'] = $var_dirs['cache'] . '/search_cache';
$var_dirs['product_cache'] = $var_dirs['cache'] . '/product_cache';
$var_dirs_web['cache'] = '/var/cache';

The variable $var_dirs['cache'] defines the location of the directory where X-Cart cache files are stored.

Export directory

$export_dir = $var_dirs['tmp'];

The variable $export_dir defines the location of X-Cart export directory (a directory on X-Cart server to which the CSV files of export packs are stored).

Correcting debug mode

$debug_mode = 2;

The variable $debug_mode allows you to define the amount of the debugging information which can be displayed in the Customer area. By default the value of this variable is set to 3. Changing the value to 2 allows you to hide from your store visitors all the debugging information.

Customizing session length

define('XCART_SESSION_LENGTH', 3600);

(in versions prior to 4.5.3 used to be $use_session_length = 3600;)

Defines session duration, in seconds. Avoid setting too little values for this variable, as that may cause the malfunction of lengthy store procedures, such as HTML catalog generation and data import/export. The recommended is at least 3600.

Section marked "DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING"

We strongly recommend you do not change any configuration settings that go below the line that says:

# DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS
# YOU REALLY KNOW WHAT ARE YOU DOING

Editing the settings below this line requires profound knowledge of the X-Cart architecture. Tampering with these settings may cause considerable damage to your store.

Below are some notes on the contents of this section.

Automatic repair of broken indexes in mySQL tables

$mysql_autorepair = true;

The value of the variable $mysql_autorepair defines whether in case of SQL errors like the following:

Table 'xcart_table_name' is marked as crashed and should be repaired
Incorrect key file for table 'xcart_table_name'. try to repair it
Old key file for table 'xcart_table_name'. repair it.

X-Cart should automatically try to repair the possibly corrupted tables using the SQL statement REPAIR TABLE (http://dev.mysql.com/doc/refman/5.1/en/repair-table.html).

Enabling/Disabling data caching

define('USE_DATA_CACHE', true);

The constant USE_DATA_CACHE defines whether your store should use data caching.

When enabled, you store's cache includes the following data:

  • active modules
  • setup_images
  • charsets
  • payments for which https is enabled
  • sql requests
  • sql_tables_fields
  • sql_vars

Also, the results of the following functions are cached:

  • get_categories_tree
  • get_language_vars
  • get_offers_categoryid
  • get_schemes
  • get_default_fields
  • test_active_bouncer
  • tpl_get_xcart_news
  • get_xcart_paid_modules

The possible values for the USE_DATA_CACHE constant are:

  • true: Data caching is enabled.
  • false: Data caching is disabled.

By default the value is set to true. Changing the value to false is reasonable only if you experience problems using the store with caching enabled (e.g. if you keep getting error messages about files in the /var/cache directory of your X-Cart installation).

define('DATA_CACHE_TTL', 24*3600);

The constant DATA_CACHE_TTL defines how often your store's cache should be re-generated. By default the value is set to 24*3600, which means that cache will be re-generated every 24 hours.

define('USE_SQL_DATA_CACHE', false);

The constant USE_SQL_DATA_CACHE defines whether your store should cache the results of heavy database queries. Enabling this type of caching is not recommended in the development period - while you are still adding new products to the store's catalog and making a lot of changes via the store's administration back end. However, when your store is ready to go live (so you won't be making many changes), enabling this option is recommended to enhance your store's performance. Note that we do not guarantee compatibility of this feature with 3rd party add-on modules.

define('SQL_DATA_CACHE_TTL', 3600);

The constant DATA_CACHE_TTL defines how often your store's SQL data cache should be re-generated.

Enabling Protected mode for security sensitive operations performed via the store's back end

const PROTECT_DB_AND_PATCHES = 'ip';
const PROTECT_ESD_AND_TEMPLATES = 'ip';

The constants PROTECT_DB_AND_PATCHES and PROTECT_ESD_AND_TEMPLATES define whether protection against unauthorized access to security-sensitive operations via the store's back end should be used and allow you to choose the protection method.

  • PROTECT_DB_AND_PATCHES applies to SQL/security and upgrade/patch operations performed via X-Cart's Admin area including the following:
  • admin/db_backup.php - operations of creating a backup of your store's database and restoring the database from backup via the 'Database Backup/Restore' page in Admin area;
  • CHANGE_SECURITY_OPTIONS - changing any settings on the General settings/Security options page (Settings->General settings->Security) in Admin area;
  • PATCH_FILES, PATCH_SQL - Apply Patch and Apply SQL patch operations via the Patch/Upgrade center page (Tools->Patch/Upgrade) in Admin area;
  • UPGRADE - Upgrade operations via the Patch/Upgrade center page (Tools->Patch/Upgrade) in Admin area;
  • ADD_ALLOWED_ADMIN_IP - adding allowed IP addresses via the 'Allowed IP addresses' section on the User access control page (Tools menu -> Maintenance -> "See also" tab (right-side menu) -> User access control) in Admin area;
  • CHANGE_ALLOWED_ADMIN_IP - editing the list of allowed IP addresses via the 'Allowed IP addresses' section;
  • IMPORT_ADMIN_PROFILES, MANAGE_ADMIN_PROFILES - import and modification of admin user profiles;
  • MANAGE_SYSTEM_FINGERPRINTS / MANAGE_XMONITORING_FILES / MANAGE_LOGS
  • PROTECT_ESD_AND_TEMPLATES applies to:
  • Edit templates - any operations via the Browse templates section in Admin and (X-Cart PLATINUM) Provider area;
  • FILE_OPERATIONS - any operations via the Browse files section in Admin and (X-Cart PLATINUM) Provider area.

The possible values for these constants are:

  • 'ip': Access to the protected pages is allowed only from specific IP addresses ('ip'-based protection method).
  • 'file': (Strongly recommended) Access to the protected pages is allowed only after creating a special file in the var/tmp folder ('file'-based protection method). Using the 'file'-based protection method provides the highest level of security.
  • FALSE: (Not recommended) Protection is disabled.

For more information, see the section on Protected Mode.

Binding the session id of admin user to IP address

const PROTECT_XID_BY_IP = 'mask';

The constant PROTECT_XID_BY_IP defines whether the session id of admin user should be locked to the IP address from which this session originated. The possible values are (from high security level to low):

  • 'ip': (Strongly recommended) The session id of admin user is locked to a specific IP address. For example, 192.168.31.40. Using this value provides the highest level of security.
  • 'secure_mask': The session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated. For example, 192.168.31.*. Using this value provides medium to high level of security.
  • 'mask': The session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated. For example, 192.168.*.*. Using this value provides medium to low level of security.
  • FALSE: (Not recommended) Binding of admin user session id to his IP address is disabled. You may want to use this value if admin is going to work via two or more ISPs alternating all the time.

Note that, if the value of PROTECT_XID_BY_IP at your store is set to 'ip', in rare cases (namely, if your ISP changes your IP address too often, like every few seconds) you may experience problems logging in to the Admin area. If this happens, consider switching to 'secure_mask'/'mask' or disable binding of admin user session IDs to IP addresses altogether by setting the value of PROTECT_XID_BY_IP to FALSE.

Restricting access to the store's back end by IP

const BLOCK_UNKNOWN_ADMIN_IP = FALSE;

The constant BLOCK_UNKNOWN_ADMIN_IP (in X-Cart versions prior to 4.5.5 known as SECURITY_BLOCK_UNKNOWN_ADMIN_IP) defines whether the store's user access control functionality is enabled. This functionality prevents usage of your store's back-end from IP addresses that have not been approved by the store admin. The possible values are:

  • TRUE: User access control functionality is enabled; the store's back end can be accessed only from the IP addresses specified in the 'Allowed IP addresses' section in Admin area.
  • FALSE: User access control functionality is disabled; the store's back end can be accessed from any IP address.

By default the value of this constant is set to FALSE. For more information, see the section User Access Control.

const ADMIN_ALLOWED_IP = '';

The constant ADMIN_ALLOWED_IP (in X-Cart versions prior to 4.5.5 known as $admin_allowed_ip) specifies the IP addresses from which access to the store's back end should be allowed. You can leave the value empty for unrestricted access or provide a comma separated list of trusted IP addresses to allow access only from these IP addresses.
For example:

  • Unrestricted access:
ADMIN_ALLOWED_IP = '';
  • Access is allowed only from IP 192.168.0.1 and 127.0.0.1:
ADMIN_ALLOWED_IP = "192.168.0.1, 127.0.0.1";

BLOCK_UNKNOWN_ADMIN_IP and ADMIN_ALLOWED_IP basically serve the same purpose: they fully block access to the store's back end for users whose IP address is not on the list of allowed IP addresses. However, these features use different sets of IP addresses: ADMIN_ALLOWED_IP stores IP addresses in the file config.php, whereas BLOCK_UNKNOWN_ADMIN_IP uses IP addresses stored in the database. In practice this means that ADMIN_ALLOWED_IP provides somewhat better protection than BLOCK_UNKNOWN_ADMIN_IP, because a hacker is far less likely to get their hands on config.php than to try and insert their IP address into the list stored in the database.

Note that the list of IP addresses in ADMIN_ALLOWED_IP is the first place that X-Cart checks to determine whether a specific IP address is 'allowed': if the list of IP addresses in ADMIN_ALLOWED_IP is not empty, and the IP address being checked is not on that list, X-Cart will simply deny access to the user without even checking whether the IP address is contained in the list used by other IP-based methods of protection, like User access control functionality and Protected mode. This means that if you intend to use User access control functionality (BLOCK_UNKNOWN_ADMIN_IP = TRUE) or 'ip'-based Protected mode (BLOCK_UNKNOWN_ADMIN_IP = FALSE with PROTECT_DB_AND_PATCHES and/or PROTECT_ESD_AND_TEMPLATES set to 'ip'), you will need to either add everything from the list of allowed IP addresses in your database to the list of IP addresses stored in ADMIN_ALLOWED_IP as well, or disable the ADMIN_ALLOWED_IP feature altogether.

Blocking IFRAME / FRAME calls

const FRAME_NOT_ALLOWED = FALSE;

The constant FRAME_NOT_ALLOWED defines whether IFRAME / FRAME calls should be allowed for X-Cart. You may want to forbid calling X-Cart in IFRAME / FRAME tags to prevent attacks in which the attacker displays X-Cart through a frame and, using web browser vulnerabilities, intercepts the information being entered in it. The possible values for this constant are TRUE and FALSE. If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can set the value of this constant to TRUE to enhance security. By default the value of this constant is set to FALSE.

Setting the length for the list of unique form identifiers

const FORM_ID_ORDER_LENGTH = 100;

The constant FORM_ID_ORDER_LENGTH sets the length for the list of unique form identifiers.

A unique form identifier ensures that a form is valid and serves as a protection from CSRF (cross-site request forgery) attacks. For each user session, the system generates an ordered list of unique identifiers and assigns them to every X-Cart’s page opened by the user which contains a submittable HTML form designed for sending input data using the POST method. These identifiers are intended to ensure the authenticity of every single form: every time the user makes an attempt to submit a form, X-Cart checks whether the form identifier is on the list. If it is, the form is considered genuine (i.e. generated by X-Cart during the current session) and, thus, safe for sending input data. If the identifier is missing from the list, the form is treated as suspicious, and no input data can be submitted through it.

The number of identifiers in the list corresponds to the value of the FORM_ID_ORDER_LENGTH constant. By default the value is set to 100. It means that for every section the list can contain no more than 100 unique identifiers, and at any given time X-Cart will treat no more than 100 forms as genuine. If the number of forms opened by the user during one section exceeds the value defined by FORM_ID_ORDER_LENGTH, X-Cart will remove from the list the earliest identifiers and replace them with new identifiers for the recently opened forms.

By editing the value of the FORM_ID_ORDER_LENGTH constant you can increase or decrease the number of forms that will be concurrently considered genuine. If FORM_ID_ORDER_LENGTH is not declared or is set to a non-numeric value or a value smaller than 1, its value will be automatically set to 100.

Setting disallowed file types

const DISALLOWED_FILE_EXTS =
'phtml, phar, php5, php4, php3, php, pl, cgi, asp, exe, com, bat, pif, htaccess';

The constant DISALLOWED_FILE_EXTS specifies the file types disallowed for upload. Here disallowed file extensions should be specified as a comma separated list.

Checking MD5 of compiled templates

const COMPILED_TPL_CHECK_MD5 = FALSE;

The constant COMPILED_TPL_CHECK_MD5 defines whether MD5 verification should be used for compiled templates. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option disabled (set to FALSE) to avoid negative effect on the store's performance. The only exceptions to this recommendation are:

  1. when you are on a shared hosting, and other users of this hosting have write permissions to the var/templates_c directory of your X-Cart installation.
  2. when you are not sure your hosting provides a high level of protection against viruses or may have other security vulnerabilities which may result in an intruder gaining write access to the var/templates_c directory.

Starting with X-Cart version 4.7.0, the value of the COMPILED_TPL_CHECK_MD5 constant has no effect on the store's operation.

Storing customers' checking account details

const STORE_CHECKING_ACCOUNTS = FALSE;

The constant STORE_CHECKING_ACCOUNTS (formerly $store_ch) defines whether your customers' checking account details should be stored in the database. This includes:

  • Bank account number;
  • Bank routing number;
  • Fraction number.

If Direct Debit is used, Account owner name is stored instead of Fraction number. The possible values for this constant are:

  • TRUE: X-Cart stores your customers' checking account details in the order details.
  • FALSE: X-Cart does not store your customers' checking account details anywhere.

Checking the authenticity of admin profiles in xcart_customers

const CHECK_CUSTOMERS_INTEGRITY = TRUE;

The constant CHECK_CUSTOMERS_INTEGRITY defines whether admin and (X-Cart PLATINUM) provider profiles in the xcart_customers table should be checked for authenticity to prevent their malicious faking and stealing. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option enabled (set to TRUE) at all times.

Checking the authenticity of Social login admin profiles in xcart_xauth_user_ids

const CHECK_XAUTH_USER_IDS_INTEGRITY = TRUE;

The constant CHECK_XAUTH_USER_IDS_INTEGRITY defines whether Social login admin and (X-Cart PLATINUM) provider profiles in the xcart_xauth_user_ids table should be checked for authenticity to prevent their malicious faking and stealing. The check ensures the integrity of the association between the Social login id of admin and provider users and their X-Cart user profiles. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option enabled (set to TRUE) at all times.

Checking the authenticity of the password_reset_key field in xcart_reset_passwords

const CHECK_RESET_PASSWORDS_INTEGRITY = TRUE;

The constant CHECK_RESET_PASSWORDS_INTEGRITY defines whether the password_reset_key field in the xcart_reset_passwords table should be checked for authenticity in order to prevent malicious faking and stealing of its contents. The check ensures the integrity of the association between a password reset key and the user for whom it was generated. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option enabled (set to TRUE) at all times.

Checking the authenticity of critical config values in xcart_config

const CHECK_CONFIG_INTEGRITY = TRUE;

The constant CHECK_CONFIG_INTEGRITY defines whether critical config values stored in the xcart_config table should be checked for authenticity in order to prevent their malicious faking and stealing. The possible values for this constant are TRUE and FALSE. It is highly recommended to keep this option enabled (set to TRUE) at all times. The config values protected by CHECK_CONFIG_INTEGRITY are as follows:

'site_administrator' => 'Site administrator email address', // without category
'ip_register_codes' => 'List of IP addresses awaiting registration', // without category
'allowed_ips' => 'Allowed IP addresses', // without category
'xpc_allowed_ip_addresses' => 'IP addresses for X-Payments callbacks', // XPayments_Connector
'smtp_server' => 'SMTP server', // Email
'use_smtp' => 'Use SMTP server instead of internal PHP mailer', // Email
'unallowed_request_notify' => 'Notify the site administrator by email if unallowed request to site occurs', // Email_Note
'eml_login_error' => 'Login error notification to site administrator', // Email_Note
'admin_sqlerror_notify' => 'Notify the site administrator about SQL errors in the store by email', // Email_Note
'allow_ips' => 'Check if payment gateway response is coming from the IP\'s specified here (enter a comma separated list)', // Security

Synchronizing user sessions of the primary store domain and additional domain aliases

define('USE_SESSION_HISTORY', true);

The constant USE_SESSION_HISTORY defines whether the functionality for synchronizing user sessions of the primary store domain and additional domain aliases should be enabled. The possible values for this constant are true and false. The value of this constant must be set to true if you use domain aliases for the Customer area of your store and wish to be able to simultaneously work both with the Admin and Customer areas without losing your current user session.

Enabling CURLOPT_INTERFACE setting for libcurl

define('USE_CURLOPT_INTERFACE', false);

The constant USE_CURLOPT_INTERFACE enables the functionality that forces the use of the CURLOPT_INTERFACE setting for the libcurl https module. This setting is required by some payment gateways. Example error text: "Information received from an Invalid IP address. (INVALID)" Take a look at the page http://www.php.net/manual/en/function.curl-setopt.php#CURLOPT_INTERFACE for the description of the CURLOPT_INTERFACE setting.

Enabling HTTP 1.0 compatibility mode

define('HTTP_1_0_COMPATIBILITY_MODE', false);

The constant HTTP_1_0_COMPATIBILITY_MODE can be used to enable the HTTP 1.0 protocol for requests sent by X-Cart to external services in case of problems with HTTP 1.1 requests. The possible values for this constant are true and false.

Limiting the number of HTTPS redirects

$https_redirect_limit = 20;

The variable $https_redirect_limit sets a limit for the number of redirects from HTTP to HTTPS. When this limit is reached, X-Cart supposes that the HTTPS part of the store does not work and stops trying to redirect to the HTTPS part. If the value of the variable is not a number or is less than zero, redirection will happen every time.

Development mode and debug mode settings

$debug_mode = 2;

The variable $debug_mode defines X-Cart's error tracking behavior. The possible values for this variable are:

  • 0: Error tracking is disabled.
  • 1: Errors and notices are displayed on the store pages (For SQL errors, execution of the script is stopped).
  • 2: Errors and notices are written to log files (var/log/x-errors_*.php); no debug info is displayed on the store pages.
  • 3: Errors and notices are both displayed on the store pages and written to log files.

The value of this variable should be set to 2 for production.

define('DEVELOPMENT_MODE', 1);

Enable this directive if you are a developer changing X-Cart source code.

  • This directive enables function assertion http://php.net/assert
  • This directive enables all php warnings/notices
  • This directive should be disabled in production

We recommend the following settings for development:
$debug_mode = 3;
define('DEVELOPMENT_MODE', 1);

X-Cart security keys

The variables $xc_security_key* are used to store X-Cart security keys that ensure the security of admin operations. These keys are involved in the generation of digital signatures used to ensure the authenticity of certain types of data stored in the database:

  • $xc_security_key_session: This key is used for the generation of signatures for admin and (X-Cart PLATINUM) provider user profiles, password reset keys, Social Login admin and (X-Cart PLATINUM) provider profiles and sessions.
  • $xc_security_key_config: This key is used for the generation of signatures for critical xcart_config values.
  • $xc_security_key_general: This key is used for X-Cart's X-Monitoring module.

Without the key no one will be able to recreate the signature of a database record, so no one will be able to fake a database record by substituting their own data. Similarly to your store's $blowfish_key value, the values of $xc_security_key* variables must be unique per store and must be stored securely. To enhance the security of your store, it is recommended to periodically update the security keys by re-generating them. To re-generate your security keys, you only need to re-generate your Blowfish key: the $xc_security_key* keys will be re-generated automatically along with the $blowfish_key value.

Section marked "NEVER CHANGE THE SETTINGS BELOW THIS LINE MANUALLY"

The config.php file contain a section saying:


# ################################################################
# NEVER CHANGE THE SETTINGS BELOW THIS LINE MANUALLY
# ################################################################

You must never edit variables in this section, because it will apparently destroy your store.

For example, this section contains the variable $blowfish_key, for example:

$blowfish_key = '8d5db63ada15e11643a0b1c3477c2c5c';

This variable keeps your store's Blowfish key that was automatically generated during the X-Cart installation. This key is used to encrypt and decrypt all the sensitive data in your store database including user passwords, credit card info, etc. Since the data in already encrypted, editing the value of the $blowfish_key variable manually will corrupt all user passwords (including the administrator password) and you want be able to use the store. You must also be aware of the fact that a lost Blowfish key cannot be restored, and the X-Cart Support team will not be able to help you regain access to your store if you remove or change the value of the $blowfish_key variable.

If for some reason you need to re-generate the Blowfish key generated during the installation, use the built-in X-Cart facility described in the Re-generate the Blowfish Encryption Key section of this manual.

See also