X-Cart:Security Profiles
Under construction
In X-Cart versions 4.5.5 and later, during X-Cart installation you can choose a security profile for your store. The two available options are Evaluation/Playground and Live store.
The store administrator selects the security profile at the step Preparing to install X-Cart database of X-Cart's web installation:
The Live store security profile is a combination of security options that ensure a higher level of security for your store's data in production mode. This includes:
- Enabled 'ip'-based protection mode for security-sensitive operations performed via X-Cart's Admin area:
- SQL/security and upgrade/patch operations,
- file operations (upload of distribution files for ESD products) and template editing.
- Enabled session protection mechanism ensuring that the session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated; this significantly reduces the possibility of a valid session being hijacked by an unauthorized person.
When you choose the Live store security profile during X-Cart's installation, the above named security options are automatically enabled as X-Cart installer updates the constants PROTECT_DB_AND_PATCHES, PROTECT_ESD_AND_TEMPLATES and PROTECT_XID_BY_IP in X-Cart's configuration file config.php so they reflect the following values:
const PROTECT_DB_AND_PATCHES = 'ip'; const PROTECT_ESD_AND_TEMPLATES = 'ip'; const PROTECT_XID_BY_IP = 'mask';
test
const PROTECT_DB_AND_PATCHES = FALSE; const PROTECT_ESD_AND_TEMPLATES = FALSE; const PROTECT_XID_BY_IP = FALSE;
If you need to change the previously chosen security profile, re-run X-Cart's Installation Wizard with the option Update config only enabled, or simply edit your store's file config.php to readjust the values of the constants PROTECT_DB_AND_PATCHES, PROTECT_ESD_AND_TEMPLATES and PROTECT_XID_BY_IP manually.
