|
|
This article aims at giving security hints for RosarioSIS.
|
|
|
|
|
|
**PostgreSQL database:**
|
|
|
# PostgreSQL database
|
|
|
|
|
|
Instead of creating the RosarioSIS database with the _postgres_ user, first create a user that can login and create database. Then login with that user and create the RosarioSIS database so that the RosarioSIS user is its owner. So in case your RosarioSIS user password is discovered, the whole PostgreSQL server is not compromised.
|
|
|
|
... | ... | @@ -19,9 +19,7 @@ Be careful when you update RosarioSIS. If you overwrite the files, the above fil |
|
|
|
|
|
Change the usernames and passwords of the default set of users (_admin_, _teacher_, _student_, _parent_) and adopt a [password policy](https://www.sans.org/security-resources/policies/Password_Policy.pdf).
|
|
|
|
|
|
The **_.htaccess_** file prevents direct access to the _config.inc.php_ file. You can add this rule to your site / Apache configuration and remove the _.htaccess_ if you want to avoid the use of _.htaccess_ files for performance reasons.
|
|
|
|
|
|
**php.ini**
|
|
|
# php.ini
|
|
|
|
|
|
Here are some php.ini directives that can be modified for session security:
|
|
|
|
... | ... | |