Difference between revisions of "Security"

From ICA-AtoM
Jump to navigation Jump to search
m
m
Line 4: Line 4:
 
* Protection against [http://en.wikipedia.org/wiki/SQL_injection SQL Injection] attacks via the [http://php.net/manual/en/book.pdo.php PHP PDO] database interface
 
* Protection against [http://en.wikipedia.org/wiki/SQL_injection SQL Injection] attacks via the [http://php.net/manual/en/book.pdo.php PHP PDO] database interface
  
User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection), or using [http://en.wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security] to prevent [http://en.wikipedia.org/wiki/Session_hijacking Session hijacking].  See the ''require_ssl_admin'' setting below for forcing TLS access in [[Release 1.3]] and later.
+
User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection), or using [http://en.wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security (TLS)] to prevent [http://en.wikipedia.org/wiki/Session_hijacking Session hijacking].  See the ''require_ssl_admin'' setting below for forcing TLS access in [[Release 1.3]] and later.
  
 
== Settings ==
 
== Settings ==

Revision as of 11:04, 1 August 2012

Please note that ICA-AtoM is no longer actively supported by Artefactual Systems.
Visit https://www.accesstomemory.org for information about AtoM, the currently supported version.

AtoM implements web application best practice for security. Security features include:

  • User passwords are hashed using the SHA-1 hashing algorithm with a randomly generated salt
  • Protection against SQL Injection attacks via the PHP PDO database interface

User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection), or using Transport Layer Security (TLS) to prevent Session hijacking. See the require_ssl_admin setting below for forcing TLS access in Release 1.3 and later.

Settings

In Release 1.3 three new security settings are added to AtoM:

  • require_ssl_admin: see TLS for more details
  • require_strong_passwords: enhance login validation to force use of strong passwords. At least 8 characters long, contains characters from 3 of the following classes:
    1. Upper case letters
    2. Lower case letters
    3. Numbers
    4. Special characters
  • limit_admin_ip: limit incoming requests for all administrator functionality to an IP address IP range. Two examples:
    1. 192.168.0.1
    2. 192.168.0.1-192.168.0.255

These options are changeable under the settings page. You must be an administrator.

Options 'require_ssl_admin' and 'limit_admin_ip' can be bypassed using the Debug mode.