This section contains some important configuration options that are specific to Advanced Security application.
All configuration options are stored inside
ASEngine\ASConfig.php file, which is created after successful installation.
By default, time zone is set to
UTC after you install the application. You can modify that by replacing "UTC" with some other time zone available on following url: http://php.net/manual/en/timezones.php
For example, if you want to set up timezone to
America/New_York, your configuration should look like this:
ASConfig file also contains some default website configuration parameters, like website name, domain and script url. You can update those parameters here if you need to, but they all should be properly generated after script is installed.
If you decide to change
WEBSITE_DOMAIN parameter, make sure that you prefix it with http:// or https://.
SCRIPT_URL parameter represent absolute url to the folder where script is installed. It can look the same as
WEBSITE_DOMAIN if your script is installed inside the website root folder, but if it is installed inside some subfolder, the subfolder name should be added here too.
For example, if you have installed the script inside
auth folder, your
SCRIPT_URL constant should look like this:
In order to install the script, you have to provide database credentials, and those credentials are stored into ASConfig.php file after installation is completed. However, if you decide to change some database credentials/informations, you don't have to reinstall the script. You can update those informations here:
DB_HOST - Your database host. If your database is on the same server as your script, it usually means that you should put
DB_TYPE - By default, AS support only mysql database, and that means that value of this constant should be set to
mysql. Since AS is built on top of PDO,
it means that you can use it with some other databases with only few modifications. One of them is to change the value of this constant, and other than that,
you will probably have to update the constructor of ASDatabase class, so it can successfully connect to your database.
DB_USER - DB User's username.
DB_PASS - DB User's password.
DB_NAME - Name of database you are connecting to.
false) - This constant allow us to force secure sessions if we want to. That actually means that, if you are accessing the website over HTTPS, and you set this parameter to
true session won't start if you access the website via HTTP.
It's recommended to set this parameter to true in case you want to access the website ONLY via HTTPS.
true) - When this option is set to
It is recommended to keep it to true for security reasons.
It's recommended to keep the default value
20) - Maximum invalid login attempts before user's account is locked for current day.
This configuration parameter is used to prevent brute-force attacks, so keep in mind that setting it to some huge number will make it useless.
true) - If this parameter is set to
true, every time when user is logged in, hash function will generate string
based on your IP Address and your browser name, and store it inside the session. This will prevent someone to steal your session.
Note: It can cause problems if user IP address changes very often, so in that case you will have to turn it off by setting it to
SUCCESS_LOGIN_REDIRECT - List of redirect pages/URLs for each user role. By default, it will redirect the user to "index.php" page after successful authentication.
For example, if you want to redirect users with admin role to
users.php page after login, you can do it like this:
define('SUCCESS_LOGIN_REDIRECT', serialize(array( 'default' => 'index.php', 'admin' => 'users.php' )));
bcrypt if available) - Password hash algorithm. Available values are
sha512. During the installation,
installation wizard will try to set default algorithm to
bcrypt if your system supports it. In case that
bcrypt is not supported,
sha512 will be used.
It's recommended to use
bcrypt algorithm if possible.
13) - Bcrypt algorithm has it's cost parameter that will determine the number of rounds this algorithm will use to make the
hashed version of provided string. It's recommended to keep it to default value of
25000) - Number of iterations for sha512 hash function (if PASSWORD_ENCRYPTION is set to
sha512). The default value is high enough,
but it's highly recommended to use
bcrypt algorithm if possible.
PASSWORD_SALT - Random, 22 characters long, string from the alphabet "./0-9A-Za-z". It generated during the installation process and you should keep it safe since it
is used to hash your passwords.
60) - Password reset key life (in minutes). By default, when you request a password reset email, it will be valid in next 60 minutes.
After it expires, you will have to request password reset email again.
true) - Is mail confirmation required upon successful registration. You can set it to
false if you want to allow your users
to login right after the registration, without forcing them to confirm their email.
url-to/confirm.php) - URL to the page that will be used for email configuration. It defaults to
url-to/passwordreset.php) - URL to page that will appear after users click on password reset link inside password reset email.
smtp. If you set it to
mail() function to send emails. However, keep in mind that some servers are not configured to send emails using
mail() function, so you
can have problems with it. Also, you probably won't be able to send emails from localhost, if you haven't configured your php installation.
In that case, I recommend you to use some SMTP server for sending emails (like Mailgun) which offers 10,000 free emails per month, and it's really easy to set up.
If you want to use some external SMTP server, besides setting
smtp, you will have to configure all "SMTP_" parameters. Most services and SMTP servers will
provide you the list of those parameters, and here is how you can configure it to send emails using your Gmail account:
define('MAILER', "smtp"); define('SMTP_HOST', "smtp.gmail.com"); define('SMTP_PORT', 465); define('SMTP_USERNAME', "firstname.lastname@example.org"); define('SMTP_PASSWORD', "your_gmail_password"); define('SMTP_ENCRYPTION', "ssl");
In case that this configuration don't work as expected, try to set
tls. More info about Gmail SMTP settings
can be found on this URL: https://support.google.com/a/answer/176600?hl=en
Note! If your server does not require encryption, just leave it blank.
MAIL_FROM_NAME - From name used in all emails that are being sent from the application.
MAIL_FROM_EMAIL - From email used in all emails that are being sent from the application.