Difference between revisions of "Security"
m (→Settings) |
m |
||
| Line 1: | Line 1: | ||
| − | '''AtoM''' implements web application best practice for security. | + | '''AtoM''' implements web application best practice for security. |
| + | Security features include: | ||
* User passwords are hashed using the [http://en.wikipedia.org/wiki/SHA-1 SHA-1] hashing algorithm with a randomly generated [http://en.wikipedia.org/wiki/Salt_%28cryptography%29 salt] | * User passwords are hashed using the [http://en.wikipedia.org/wiki/SHA-1 SHA-1] hashing algorithm with a randomly generated [http://en.wikipedia.org/wiki/Salt_%28cryptography%29 salt] | ||
* Protection against [http://en.wikipedia.org/wiki/SQL_injection SQL Injection] attacks via the [http://php.net/manual/en/book.pdo.php PHP PDO] database interface | * Protection against [http://en.wikipedia.org/wiki/SQL_injection SQL Injection] attacks via the [http://php.net/manual/en/book.pdo.php PHP PDO] database interface | ||
Revision as of 12:38, 1 August 2012
Please note that ICA-AtoM is no longer actively supported by Artefactual Systems.
Visit https://www.accesstomemory.org for information about AtoM, the currently supported version.
AtoM implements web application best practice for security.
Security features include:
- User passwords are hashed using the SHA-1 hashing algorithm with a randomly generated salt
- Protection against SQL Injection attacks via the PHP PDO database interface
User authentication is cookie based, so privileged users should restrict access to a trusted network (e.g. internal LAN or encrypted Wifi connection) or using Transport Layer Security (TLS) to prevent Session hijacking. See the require_ssl_admin setting below for forcing TLS access in Release 1.3 and later.
Settings
In Release 1.3 three new security settings are added to AtoM:
- require_ssl_admin: see TLS for more details
- require_strong_passwords: enhance login validation to force use of strong passwords. At least 8 characters long, contains characters from 3 of the following classes:
- Upper case letters
- Lower case letters
- Numbers
- Special characters
- limit_admin_ip: limit incoming requests for all administrator functionality to an IP address IP range. Two examples:
- 192.168.0.1
- 192.168.0.1-192.168.0.255
These options are changeable under the settings page. You must be an administrator.
Options 'require_ssl_admin' and 'limit_admin_ip' can be bypassed using the Debug mode.