Difference between revisions of "Draft:Config.php"
m (→Restricting access to Admin area by IP) |
m |
||
| Line 25: | Line 25: | ||
</pre> | </pre> | ||
| − | + | The constant '''USE_DATA_CACHE''' defines whether your store should use data caching or not. | |
| − | + | The possible values for this constant are: | |
| − | Changing the value to 'false' is reasonable only if you experience problems in using the store with caching enabled (e.g. if you keep getting error messages about the files in the /var/cache directory of your X-Cart installation). | + | * ''''true'''': Data caching is enabled. |
| + | * ''''false'''': Data caching is disabled. | ||
| + | By default the value is set to ''''true''''. Changing the value to ''''false'''' is reasonable only if you experience problems in using the store with caching enabled (e.g. if you keep getting error messages about the files in the <u>/var/cache</u> directory of your X-Cart installation). | ||
&&&&& | &&&&& | ||
| Line 48: | Line 50: | ||
</pre> | </pre> | ||
| − | === | + | ===Setting the protection method for SQL/Security and file changes from the Admin area=== |
<pre> | <pre> | ||
const PROTECT_DB_AND_PATCHES = 'ip'; | const PROTECT_DB_AND_PATCHES = 'ip'; | ||
| Line 55: | Line 57: | ||
const PROTECT_ESD_AND_TEMPLATES = 'ip'; | const PROTECT_ESD_AND_TEMPLATES = 'ip'; | ||
</pre> | </pre> | ||
| − | The constants PROTECT_DB_AND_PATCHES and PROTECT_ESD_AND_TEMPLATES allow you to define the protection method for SQL/Security and file changes from the Admin area. | + | The constants '''PROTECT_DB_AND_PATCHES''' and '''PROTECT_ESD_AND_TEMPLATES''' allow you to define the protection method for SQL/Security and file changes from the Admin area. |
The possible values for these constants are: | The possible values for these constants are: | ||
* ''''ip'''': Access to the protected pages will be allowed only from specific IP addresses. | * ''''ip'''': Access to the protected pages will be allowed only from specific IP addresses. | ||
* ''''file'''': Access to the protected pages will be allowed only after creating a special file in the <u>var/tmp</u> folder. | * ''''file'''': Access to the protected pages will be allowed only after creating a special file in the <u>var/tmp</u> folder. | ||
| − | The 'file' protection method provides stronger security. | + | The ''''file'''' protection method provides stronger security. |
| − | You can disable the protection by setting the constants to FALSE; however, it is highly recommended to keep the protection enabled. | + | You can disable the protection by setting the constants to '''FALSE'''; however, it is highly recommended to keep the protection enabled. |
===Binding the session id of admin user to IP address=== | ===Binding the session id of admin user to IP address=== | ||
| Line 66: | Line 68: | ||
const PROTECT_XID_BY_IP = 'mask'; | const PROTECT_XID_BY_IP = 'mask'; | ||
</pre> | </pre> | ||
| − | The constant PROTECT_XID_BY_IP defines whether the session id of admin user should be locked to the IP address from which this session originated. | + | The constant '''PROTECT_XID_BY_IP''' defines whether the session id of admin user should be locked to the IP address from which this session originated. |
The possible values are: | The possible values are: | ||
* ''''ip'''': Strongly recommended. Using this value provides the highest level of security. With this value, the session id of admin user will be locked to a specific IP address. | * ''''ip'''': Strongly recommended. Using this value provides the highest level of security. With this value, the session id of admin user will be locked to a specific IP address. | ||
* ''''mask'''': Using this value provides medium level of security. With this value the session id of admin user will be locked to the IP subnetwork including the IP address from which the admin session originated. | * ''''mask'''': Using this value provides medium level of security. With this value the session id of admin user will be locked to the IP subnetwork including the IP address from which the admin session originated. | ||
* '''FALSE''': Not recommended. This value disables binding of admin user session id to his IP address. You may want to use this value if admin is going to work via two or more ISPs alternating all the time. | * '''FALSE''': Not recommended. This value disables binding of admin user session id to his IP address. You may want to use this value if admin is going to work via two or more ISPs alternating all the time. | ||
| − | Note that, if the value of PROTECT_XID_BY_IP at your store is set to 'ip', in rare cases (namely, if your ISP changes your IP address too | + | Note that, if the value of '''PROTECT_XID_BY_IP''' at your store is set to ''''ip'''', in rare cases (namely, if your ISP changes your IP address too often, like every few seconds) you may experience problems logging in to the Admin area. If this happens, consider switching to ''''mask'''' or disable binding of admin user session IDs to IP addresses altogether by setting the value of '''PROTECT_XID_BY_IP''' to '''FALSE'''. |
| − | often, like every few seconds) you may experience problems logging in to the Admin area. If this happens, consider switching to 'mask' or | ||
| − | disable binding of admin user session IDs to IP addresses altogether by setting the value of PROTECT_XID_BY_IP to FALSE. | ||
===Restricting access to Admin area by IP=== | ===Restricting access to Admin area by IP=== | ||
| Line 79: | Line 79: | ||
const BLOCK_UNKNOWN_ADMIN_IP = FALSE; | const BLOCK_UNKNOWN_ADMIN_IP = FALSE; | ||
</pre> | </pre> | ||
| − | The constant BLOCK_UNKNOWN_ADMIN_IP (formerly SECURITY_BLOCK_UNKNOWN_ADMIN_IP) allows you to enable the functionality that will prevent usage of your store's back-end from IP addresses unknown to the system. The possible values are TRUE and FALSE. By default the value of this constant is set to FALSE. It means that the Admin area can be accessed from any IP address. Before changing the value of this constant, see the section [[X-Cart:User_Access_Control|User Access Control]] for more information. | + | The constant '''BLOCK_UNKNOWN_ADMIN_IP''' (formerly SECURITY_BLOCK_UNKNOWN_ADMIN_IP) allows you to enable the functionality that will prevent usage of your store's back-end from IP addresses unknown to the system. The possible values are '''TRUE''' and '''FALSE'''. By default the value of this constant is set to '''FALSE'''. It means that the Admin area can be accessed from any IP address. Before changing the value of this constant, see the section [[X-Cart:User_Access_Control|User Access Control]] for more information. |
<pre> | <pre> | ||
const ADMIN_ALLOWED_IP = ''; | const ADMIN_ALLOWED_IP = ''; | ||
</pre> | </pre> | ||
| − | The constant ADMIN_ALLOWED_IP (formerly $admin_allowed_ip) allows you to specify the IP addresses from which access to the Admin area should be allowed. You can leave the value empty for unrestricted access or provide a comma separated list of trusted IP addresses to allow access only from these addresses.<br /> | + | The constant '''ADMIN_ALLOWED_IP''' (formerly '''$admin_allowed_ip''') allows you to specify the IP addresses from which access to the Admin area should be allowed. You can leave the value empty for unrestricted access or provide a comma separated list of trusted IP addresses to allow access only from these addresses.<br /> |
E.g.:<br /> | E.g.:<br /> | ||
1) Unrestricted access: | 1) Unrestricted access: | ||
| Line 99: | Line 99: | ||
const FRAME_NOT_ALLOWED = FALSE; | const FRAME_NOT_ALLOWED = FALSE; | ||
</pre> | </pre> | ||
| − | The constant FRAME_NOT_ALLOWED allows you to forbid calling X-Cart in IFRAME / FRAME tags. If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can set the value of this constant to TRUE to enhance security. This option helps to prevent attacks in which the attacker displays X-Cart through a frame and, using web browser vulnerabilities, intercepts the information being entered in it. | + | The constant '''FRAME_NOT_ALLOWED''' allows you to forbid calling X-Cart in IFRAME / FRAME tags. The possible values are '''TRUE''' and '''FALSE'''. If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can set the value of this constant to '''TRUE''' to enhance security. This option helps to prevent attacks in which the attacker displays X-Cart through a frame and, using web browser vulnerabilities, intercepts the information being entered in it. |
Revision as of 16:43, 21 January 2013
Contents
- 1 Section marked "DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING"
- 2 Data caching
- 3 Setting the protection method for SQL/Security and file changes from the Admin area
- 4 Binding the session id of admin user to IP address
- 5 Restricting access to Admin area by IP
- 6 Blocking IFRAME / FRAME calls
Section marked "DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING"
We strongly recommend you do not change any configuration settings that go below the line that says:
# DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS # YOU REALLY KNOW WHAT ARE YOU DOING
Editing the settings below this line requires profound knowledge of X-Cart architecture. Tampering with these settings may cause considerable damage to your store.
Below are some notes on the contents of this section: &&&&&
$x_time_threshold = 4; $x_mem_threshold = 4194304;
&&&&&
mysql_autorepair = true;
Data caching
define('USE_DATA_CACHE', true);
The constant USE_DATA_CACHE defines whether your store should use data caching or not. The possible values for this constant are:
- 'true': Data caching is enabled.
- 'false': Data caching is disabled.
By default the value is set to 'true'. Changing the value to 'false' is reasonable only if you experience problems in using the store with caching enabled (e.g. if you keep getting error messages about the files in the /var/cache directory of your X-Cart installation).
&&&&&
define('DATA_CACHE_TTL', 24*3600);
define('USE_SQL_DATA_CACHE', false);
define('SQL_DATA_CACHE_TTL', 3600);
define('USE_MEMCACHE_DATA_CACHE', false);
define('MEMCACHE_SERVER_ADDRESS', 'localhost');
define('MEMCACHE_SERVER_PORT', 11211);
abstract class XCSecurity { //{{{
Setting the protection method for SQL/Security and file changes from the Admin area
const PROTECT_DB_AND_PATCHES = 'ip';
const PROTECT_ESD_AND_TEMPLATES = 'ip';
The constants PROTECT_DB_AND_PATCHES and PROTECT_ESD_AND_TEMPLATES allow you to define the protection method for SQL/Security and file changes from the Admin area. The possible values for these constants are:
- 'ip': Access to the protected pages will be allowed only from specific IP addresses.
- 'file': Access to the protected pages will be allowed only after creating a special file in the var/tmp folder.
The 'file' protection method provides stronger security. You can disable the protection by setting the constants to FALSE; however, it is highly recommended to keep the protection enabled.
Binding the session id of admin user to IP address
const PROTECT_XID_BY_IP = 'mask';
The constant PROTECT_XID_BY_IP defines whether the session id of admin user should be locked to the IP address from which this session originated. The possible values are:
- 'ip': Strongly recommended. Using this value provides the highest level of security. With this value, the session id of admin user will be locked to a specific IP address.
- 'mask': Using this value provides medium level of security. With this value the session id of admin user will be locked to the IP subnetwork including the IP address from which the admin session originated.
- FALSE: Not recommended. This value disables binding of admin user session id to his IP address. You may want to use this value if admin is going to work via two or more ISPs alternating all the time.
Note that, if the value of PROTECT_XID_BY_IP at your store is set to 'ip', in rare cases (namely, if your ISP changes your IP address too often, like every few seconds) you may experience problems logging in to the Admin area. If this happens, consider switching to 'mask' or disable binding of admin user session IDs to IP addresses altogether by setting the value of PROTECT_XID_BY_IP to FALSE.
Restricting access to Admin area by IP
const BLOCK_UNKNOWN_ADMIN_IP = FALSE;
The constant BLOCK_UNKNOWN_ADMIN_IP (formerly SECURITY_BLOCK_UNKNOWN_ADMIN_IP) allows you to enable the functionality that will prevent usage of your store's back-end from IP addresses unknown to the system. The possible values are TRUE and FALSE. By default the value of this constant is set to FALSE. It means that the Admin area can be accessed from any IP address. Before changing the value of this constant, see the section User Access Control for more information.
const ADMIN_ALLOWED_IP = '';
The constant ADMIN_ALLOWED_IP (formerly $admin_allowed_ip) allows you to specify the IP addresses from which access to the Admin area should be allowed. You can leave the value empty for unrestricted access or provide a comma separated list of trusted IP addresses to allow access only from these addresses.
E.g.:
1) Unrestricted access:
ADMIN_ALLOWED_IP = '';
2) Access is allowed only from IP 192.168.0.1 and 127.0.0.1:
ADMIN_ALLOWED_IP = "192.168.0.1, 127.0.0.1";
Blocking IFRAME / FRAME calls
const FRAME_NOT_ALLOWED = FALSE;
The constant FRAME_NOT_ALLOWED allows you to forbid calling X-Cart in IFRAME / FRAME tags. The possible values are TRUE and FALSE. If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can set the value of this constant to TRUE to enhance security. This option helps to prevent attacks in which the attacker displays X-Cart through a frame and, using web browser vulnerabilities, intercepts the information being entered in it.
