Page 1 of 1

Important PHP settings for CMSimple_XH 1.6

Posted: Fri Jan 24, 2014 10:47 pm
by cmb
Hello Community,

since CMSimple_XH 1.6 the authentication credentials of the site admin are stored in session variables, what basically is a security improvement over the former techniques. However, it is mandatory to keep the session ID secret---otherwise others might be able to easily hijack the admin's session.

You have to make sure that your PHP is configured to have session.use_trans_sid=0 (or Off). You can check that under Settings -> Info -> PHP-Info -> session (what counts is the "local value"). Additionally, you should have session.use_only_cookies=On (or 1).

If that is not so, you may be able to change the respective settings by adding a file .htaccess in the installation folder of CMSimple_XH with the following content (works for Apache webservers only, if at all):

Code: Select all

php_flag session.use_trans_sid off
php_flag session.use_only_cookies on
Otherwise you'll have to contact the server admin to configure these settings for you.

German translation

Christoph