... | ... | @@ -21,6 +21,23 @@ Change the usernames and passwords of the default set of users (_admin_, _teache |
|
|
|
|
|
The **_.htaccess_** file prevents direct access to the _config.inc.php_ file. You can add this rule to your site / Apache configuration and remove the _.htaccess_ if you want to avoid the use of _.htaccess_ files for performance reasons.
|
|
|
|
|
|
**php.ini**
|
|
|
|
|
|
Here are some php.ini directives that can be modified for session security:
|
|
|
|
|
|
<pre>
|
|
|
; session.use_strict_mode specifies whether the module will use strict session id mode.
|
|
|
; If this mode is enabled, the module does not accept uninitialized session ID.
|
|
|
; If uninitialized session ID is sent from browser, new session ID is sent to browser.
|
|
|
; Applications are protected from session fixation via session adoption with strict mode.
|
|
|
; Defaults to 0 (disabled).
|
|
|
; http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
|
|
|
session.use_strict_mode = 1
|
|
|
|
|
|
; http://php.net/session.hash-function
|
|
|
session.hash_function = sha256
|
|
|
</pre>
|
|
|
|
|
|
Finally, and more generally, here is a good set of Apache rules to block attacks: [**5G Blacklist 2013**](http://perishablepress.com/5g-blacklist-2013/)
|
|
|
|
|
|
But you should remove this line for RosarioSIS to work:
|
... | ... | |