PrestaShop 1.4
Child pages
  • System Administrator Guide

Versions Compared

Old Version 2

changes.mady.by.user Xavier Borderie

Saved on

compared with

New Version 3

changes.mady.by.user Xavier Borderie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
html
html
register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off

You can also check on a few sessions-related directive in order to improve your server's handling of these.

Code Block
html
html
[MySQL]
mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.connect_timeout = 10
mysql.trace_mode = Off
; ...
[Session]
session.save_handler = files
session.save_path = "/var/www/sessions”sessions"
session.use_cookies = 1
session.name = PHPSESSID
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php

...

  • mysql.allow_persistent: Turn on if you want to enable mysql to have persistent connection (mysql will close its connections after several HTTP request)
  • mysql.max_persistent: Put here the maximum number of persistent connections allowed by MySQL (-1 correspond to the maximum that system can offer)
  • mysql.max_links: Put here the maximum number of connections allowed by MySQL (-1 correspond to the maximum that system can offer)
  • mysql.connec_timeout: Put here the number of seconds MySQL must wait before declare connection as lost.
  • mysql.trace_mode: When this mode is activated, MySQL will show errors when there is non-free ressources or a MySQL error.
  • For more informations about MySQL directives:
  • http://fr.php.net/manual/en/mysql.configuration.php

...

Explanation:

  • session.save_handler: Define defines the name of session’s handler. It will be used to save and read datathe handler which is used for storing and retrieving data associated with a session.
  • session.save_path: Put here the directory where session will be saveddefines the argument which is passed to the save handler.
  • session.use_cookie: Notice if specifies whether the server will use cookie to save customer’s sessionscookies to store the session id on the client side.
  • session.name: Notice specifies the name of the session , which is used as cookie name.
  • session.cookie_path: Specialize the path used during cookie creationspecifies path to set in the session cookie.
  • session.cookie_domain: Specialize specifies the domain used during cookie creation to set in the session cookie (default: "/"). If it is empty, server’s the server's host name will be used according to the cookie’s cookie's specifications.
  • session.cookie_httponly: Turned on, cookie will only be available by Marks the cookie as accessible only through the HTTP protocol. It This means cookie will not be available by script language, like Javascript. This configuration allows to limit XSS (but that the cookie won't be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by every web browserall browsers).
  • session.serialize_handler: Defines defines the name of the handler which is used to serialize/deserialize data.
  • For more informations about session: http://fr.php.net/manual/en/session.configuration.php

The only problem is Safe Mode is included in PHP. If PHP machine is vulnerable then user could bypass this Safe Mode. If you have several web applications on the same server, or if you just want to protect your server by an other solution, I invite you to read the first paragraph of the recommendations part.

MySQL configuration

MySQL often has an administrator account as default ("root", "admin"...), which gives access to all of the databases' content, no matter who the database is managed by. The administrator has all the rights, and can do every possible actions. You therefore need to safekeep your databases, so as to prevent your web applications from succumbing to SQL injections (which can happen when a user succeeds in obtaining the admin password).

Warning

If you just installed MySQL, do add a password for the root account, who has no password as default.

One user per web application

Each time you install a new web application on your server, you must create a new MySQL user when just the necessary rights to handle that application's data. Do NOT use the same username to handle the databases for all of your installed web applications.

...

You can now install PrestaShop safely.

Warning

If you just installed MySQL, think to add a password for the root account, who has no password as default.

php.ini

You can also check on a few directives to make your database more efficient:

Code Block
html
html

[MySQL]
mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.connect_timeout = 10
mysql.trace_mode = Off

Explanation:

  • mysql.allow_persistent: Turn it on if you want to enable MySQL to have persistent connections (MySQL will close its connections after several HTTP request).
  • mysql.max_persistent: Set the maximum number of persistent connections allowed by MySQL (-1 means the maximum that system can allow).
  • mysql.max_links: Set the maximum number of connections allowed by MySQL (-1 means the maximum that system can allow).
  • mysql.connec_timeout: Set the number of seconds MySQL must wait before declaring a connection as lost.
  • mysql.trace_mode: When this mode is activated, MySQL shows warnings for table/index scans, non free result sets, and SQL errors.
  • For more informations about MySQL directives: http://fr.php.net/manual/en/mysql.configuration.php

Basic authentication establishment (.htaccess)

...