Difference between revisions of "X-Cart:Security Profiles"
m |
m |
||
| Line 1: | Line 1: | ||
| − | |||
| − | |||
In X-Cart versions 4.5.5 and later, during X-Cart installation you can choose a security profile for your store. The two available options are '''Evaluation/Playground''' and '''Live store'''. | In X-Cart versions 4.5.5 and later, during X-Cart installation you can choose a security profile for your store. The two available options are '''Evaluation/Playground''' and '''Live store'''. | ||
The store administrator selects the security profile at the step '''[[X-Cart:Installing_X-Cart_Using_the_Installation_Wizard#Preparing to install X-Cart database | Preparing to install X-Cart database]]''' of X-Cart's web installation: | The store administrator selects the security profile at the step '''[[X-Cart:Installing_X-Cart_Using_the_Installation_Wizard#Preparing to install X-Cart database | Preparing to install X-Cart database]]''' of X-Cart's web installation: | ||
| − | [[File:Security_profile.png|border]] | + | : [[File:Security_profile.png|border]] |
| − | + | '''Live store''' security profile is a pre-set combination of security options that ensure a higher level of security for your store's data in production mode. This includes: | |
# Enabled 'ip'-based protection mode for security-sensitive operations performed via X-Cart's Admin area: | # Enabled 'ip'-based protection mode for security-sensitive operations performed via X-Cart's Admin area: | ||
#* SQL/security and upgrade/patch operations, | #* SQL/security and upgrade/patch operations, | ||
#* file operations (upload of distribution files for ESD products) and template editing. | #* file operations (upload of distribution files for ESD products) and template editing. | ||
| − | # Enabled session protection mechanism ensuring that the session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated; this significantly reduces the possibility of a valid session being hijacked by an unauthorized person. | + | # Enabled session protection mechanism ensuring that the session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated; this significantly reduces the possibility of a valid session being hijacked by an unauthorized person. |
| − | |||
| − | |||
| − | + | '''Live store''' security profile corresponds to the following settings in config.php: | |
| − | |||
| − | |||
| − | + | :* const PROTECT_DB_AND_PATCHES = 'ip';<br /> | |
| + | :* const PROTECT_ESD_AND_TEMPLATES = 'ip';<br /> | ||
| + | :* const PROTECT_XID_BY_IP = 'mask';<br /> | ||
| − | + | '''Evaluation/Playground''' is a security profile that allows you to work without the security limitations imposed by the '''Live store''' security profile. With this profile enabled, no protection is used for security-sensitive operations performed via X-Cart's Admin area, and session protection mechanism is disabled. This is caused by the following settings in config.php: | |
| − | |||
| − | |||
| + | :* const PROTECT_DB_AND_PATCHES = FALSE;<br /> | ||
| + | :* const PROTECT_ESD_AND_TEMPLATES = FALSE;<br /> | ||
| + | :* const PROTECT_XID_BY_IP = FALSE;<br /> | ||
| − | If you need to change the previously | + | If you need to change the previously selected security profile, do one of the following: |
| + | :* Re-run X-Cart's installer with the option '''Update config only''' enabled and select a different security profile. | ||
| + | OR | ||
| + | :* Manually readjust the values of the constants PROTECT_DB_AND_PATCHES, PROTECT_ESD_AND_TEMPLATES and PROTECT_XID_BY_IP in your store's file <u>config.php</u> . | ||
[[Category:X-Cart user manual]] | [[Category:X-Cart user manual]] | ||
Revision as of 11:52, 30 January 2013
In X-Cart versions 4.5.5 and later, during X-Cart installation you can choose a security profile for your store. The two available options are Evaluation/Playground and Live store. The store administrator selects the security profile at the step Preparing to install X-Cart database of X-Cart's web installation:
Live store security profile is a pre-set combination of security options that ensure a higher level of security for your store's data in production mode. This includes:
- Enabled 'ip'-based protection mode for security-sensitive operations performed via X-Cart's Admin area:
- SQL/security and upgrade/patch operations,
- file operations (upload of distribution files for ESD products) and template editing.
- Enabled session protection mechanism ensuring that the session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated; this significantly reduces the possibility of a valid session being hijacked by an unauthorized person.
Live store security profile corresponds to the following settings in config.php:
- const PROTECT_DB_AND_PATCHES = 'ip';
- const PROTECT_ESD_AND_TEMPLATES = 'ip';
- const PROTECT_XID_BY_IP = 'mask';
- const PROTECT_DB_AND_PATCHES = 'ip';
Evaluation/Playground is a security profile that allows you to work without the security limitations imposed by the Live store security profile. With this profile enabled, no protection is used for security-sensitive operations performed via X-Cart's Admin area, and session protection mechanism is disabled. This is caused by the following settings in config.php:
- const PROTECT_DB_AND_PATCHES = FALSE;
- const PROTECT_ESD_AND_TEMPLATES = FALSE;
- const PROTECT_XID_BY_IP = FALSE;
- const PROTECT_DB_AND_PATCHES = FALSE;
If you need to change the previously selected security profile, do one of the following:
- Re-run X-Cart's installer with the option Update config only enabled and select a different security profile.
OR
- Manually readjust the values of the constants PROTECT_DB_AND_PATCHES, PROTECT_ESD_AND_TEMPLATES and PROTECT_XID_BY_IP in your store's file config.php .
