2. PHPRunner General questions
  3. Hardening PHPrunner Website
This topic is locked

Hardening PHPrunner Website

 		10/28/2018 5:36:12 AM
PHPRunner General questions
DanDooPur author

Hi all,
I got some questions about hardening a PHPrunner website. For one if there is buildin security against session hijacking.
Any tips on hardening will also be welcome.
Thanks in advance,

Daniël
John Rotella 10/28/2018

Good question.
admin 10/29/2018

PHPRunner apps are secure by default, all best practices are used. Just make sure your run this application under HTTPS and you are all set.
Many of our clients are required by law and regulations to scan all they web applications with Accunetix which helps both them and us stay secure: https://www.acunetix.com/vulnerability-scanner/
S
 		steveh 10/31/2018

One thing to be aware of is that if you copy a phprunner project to another directory on the server then the session will be shared, I have amended my source tree for include/dbcommon.php thus:-
Old:-
@session_name(str_replace(" ", "", "s##@BUILDER.arrConnections{@BUILDER.strDefaultConnID}.m_lastDbSyncTime##"));
New:-
@session_name("s".md5(DIR));
If you don't do this then somebody that logs into website a on database a will be considered as also logged into any copy of the website on that server regardless of whether the login account exists on that database.
HJB 10/31/2018

@admin
https://stackoverflow.com/questions/1727919/how-to-prevent-multiple-logins-in-php-website
... on additional security inspiration purposes only, other than session hijacking.
Would love to see the implementation in one of future releases, like it is seen since years
in regard to a competitor's product, to be simply activated by one mouse-click on the checkbox.