Important PHP settings for CMSimple_XH 1.6

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Important PHP settings for CMSimple_XH 1.6

Post by cmb » Fri Jan 24, 2014 10:47 pm

Hello Community,

since CMSimple_XH 1.6 the authentication credentials of the site admin are stored in session variables, what basically is a security improvement over the former techniques. However, it is mandatory to keep the session ID secret---otherwise others might be able to easily hijack the admin's session.

You have to make sure that your PHP is configured to have session.use_trans_sid=0 (or Off). You can check that under Settings -> Info -> PHP-Info -> session (what counts is the "local value"). Additionally, you should have session.use_only_cookies=On (or 1).

If that is not so, you may be able to change the respective settings by adding a file .htaccess in the installation folder of CMSimple_XH with the following content (works for Apache webservers only, if at all):

Code: Select all

php_flag session.use_trans_sid off
php_flag session.use_only_cookies on
Otherwise you'll have to contact the server admin to configure these settings for you.

German translation

Christoph
Last edited by cmb on Fri Jan 24, 2014 11:08 pm, edited 1 time in total.
Reason: added link to German translation
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply