Configuration


Configuration

This section contains some important configuration options that are specific to Advanced Security application. All configuration options are stored inside ASEngine\ASConfig.php file, which is created after successful installation.

Timezone

By default, time zone is set to UTC after you install the application. You can modify that by replacing "UTC" with some other time zone available on following url: http://php.net/manual/en/timezones.php

For example, if you want to set up timezone to America/New_York, your configuration should look like this:

date_default_timezone_set('America/New_York');

Website Info

ASConfig file also contains some default website configuration parameters, like website name, domain and script url. You can update those parameters here if you need to, but they all should be properly generated after script is installed.

If you decide to change WEBSITE_DOMAIN parameter, make sure that you prefix it with http:// or https://.

SCRIPT_URL parameter represent absolute url to the folder where script is installed. It can look the same as WEBSITE_DOMAIN if your script is installed inside the website root folder, but if it is installed inside some subfolder, the subfolder name should be added here too. For example, if you have installed the script inside auth folder, your SCRIPT_URL constant should look like this:

define('SCRIPT_URL', 'http://as2.dev/auth');

Database Configuration

In order to install the script, you have to provide database credentials, and those credentials are stored into ASConfig.php file after installation is completed. However, if you decide to change some database credentials/informations, you don't have to reinstall the script. You can update those informations here:

DB_HOST - Your database host. If your database is on the same server as your script, it usually means that you should put localhost here.

DB_TYPE - By default, AS support only mysql database, and that means that value of this constant should be set to mysql. Since AS is built on top of PDO, it means that you can use it with some other databases with only few modifications. One of them is to change the value of this constant, and other than that, you will probably have to update the constructor of ASDatabase class, so it can successfully connect to your database.

DB_USER - DB User's username.

DB_PASS - DB User's password.

DB_NAME - Name of database you are connecting to.

Session Configuration

SESSION_SECURE (default false) - This constant allow us to force secure sessions if we want to. That actually means that, if you are accessing the website over HTTPS, and you set this parameter to true session won't start if you access the website via HTTP. It's recommended to set this parameter to true in case you want to access the website ONLY via HTTPS.

SESSION_HTTP_ONLY (default true) - When this option is set to true, generated session cookie will be only accessible by your browser and not from JavaScript code. It is recommended to keep it to true for security reasons.

SESSION_USE_ONLY_COOKIES (default true) - Specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. It's recommended to keep the default value

Login Configuration

LOGIN_MAX_LOGIN_ATTEMPTS (default 20) - Maximum invalid login attempts before user's account is locked for current day. This configuration parameter is used to prevent brute-force attacks, so keep in mind that setting it to some huge number will make it useless.

LOGIN_FINGERPRINT (default true) - If this parameter is set to true, every time when user is logged in, hash function will generate string based on your IP Address and your browser name, and store it inside the session. This will prevent someone to steal your session. Note: It can cause problems if user IP address changes very often, so in that case you will have to turn it off by setting it to false.

SUCCESS_LOGIN_REDIRECT - List of redirect pages/URLs for each user role. By default, it will redirect the user to "index.php" page after successful authentication. For example, if you want to redirect users with admin role to users.php page after login, you can do it like this:

define('SUCCESS_LOGIN_REDIRECT', serialize(array(
    'default' => 'index.php', 
    'admin' => 'users.php'
)));

Password Configuration

PASSWORD_ENCRYPTION (default bcrypt if available) - Password hash algorithm. Available values are bcrypt and sha512. During the installation, installation wizard will try to set default algorithm to bcrypt if your system supports it. In case that bcrypt is not supported, sha512 will be used. It's recommended to use bcrypt algorithm if possible.

PASSWORD_BCRYPT_COST (default 13) - Bcrypt algorithm has it's cost parameter that will determine the number of rounds this algorithm will use to make the hashed version of provided string. It's recommended to keep it to default value of 13.

PASSWORD_SHA512_ITERATIONS (default 25000) - Number of iterations for sha512 hash function (if PASSWORD_ENCRYPTION is set to sha512). The default value is high enough, but it's highly recommended to use bcrypt algorithm if possible.

PASSWORD_SALT - Random, 22 characters long, string from the alphabet "./0-9A-Za-z". It generated during the installation process and you should keep it safe since it is used to hash your passwords.

PASSWORD_RESET_KEY_LIFE (default 60) - Password reset key life (in minutes). By default, when you request a password reset email, it will be valid in next 60 minutes. After it expires, you will have to request password reset email again.

Registration Configuration

MAIL_CONFIRMATION_REQUIRED (default true) - Is mail confirmation required upon successful registration. You can set it to false if you want to allow your users to login right after the registration, without forcing them to confirm their email.

REGISTER_CONFIRM (default url-to/confirm.php) - URL to the page that will be used for email configuration. It defaults to confirm.php page.

REGISTER_PASSWORD_RESET (default url-to/passwordreset.php) - URL to page that will appear after users click on password reset link inside password reset email.

Emails Configuration

MAILER (default mail) - PHP mailer that will be used for sending emails. Available values are mail and smtp. If you set it to mail (which is the default value) AS will try to use default PHP mail() function to send emails. However, keep in mind that some servers are not configured to send emails using mail() function, so you can have problems with it. Also, you probably won't be able to send emails from localhost, if you haven't configured your php installation. In that case, I recommend you to use some SMTP server for sending emails (like Mailgun) which offers 10,000 free emails per month, and it's really easy to set up.

If you want to use some external SMTP server, besides setting MAILER to smtp, you will have to configure all "SMTP_" parameters. Most services and SMTP servers will provide you the list of those parameters, and here is how you can configure it to send emails using your Gmail account:

define('MAILER', "smtp");
define('SMTP_HOST', "smtp.gmail.com");
define('SMTP_PORT', 465);
define('SMTP_USERNAME', "your_email_address@gmail.com");
define('SMTP_PASSWORD', "your_gmail_password");
define('SMTP_ENCRYPTION', "ssl");

In case that this configuration don't work as expected, try to set SMTP_PORT to 587 and SMTP_ENCRYPTION to tls. More info about Gmail SMTP settings can be found on this URL: https://support.google.com/a/answer/176600?hl=en

Note! If your server does not require encryption, just leave it blank.

MAIL_FROM_NAME - From name used in all emails that are being sent from the application.

MAIL_FROM_EMAIL - From email used in all emails that are being sent from the application.