Advanced Security Settings

ProductCart contains a set of features aimed at helping a ProductCart-powered store minimize the chances of a successful, script-based attack against the store. For example, a hacker may write a script that fills the User Name and Password fields in the Control Panel login page automatically, resubmitting the form with new values when access is denied.

Such attacks are performed to gain unauthorized access to the store. Renaming the Control Panel folder is the first step to avoiding such attacks.

The features discussed in this section add an additional level of protection.

To reduce the chances of unauthorized access to ProductCart (e.g. Control Panel, Affiliate account, customer account) from a third-party script, the system now performs a check to validate the URL of the request submitted to the login form. If the URL is not valid, the request is immediately rejected.

In other words, if you access any form handlers that authenticate a user from a location other than the ProductCart form that is supposed to be used to send information to that form handler, the request will be immediately rejected.

For example, in the Control Panel the page “login_1.asp” is used to send information to the form handler “login.asp” to authenticate a user for access to the ProductCart Control Panel. If you try to access the form handler (e.g. http://www.YourStore.com/productcart/pcadmin/login.asp) from any other page, you will be denied access and will instead receive the following message “Your attempt was denied because of security reasons. Please contact the store administrator for more information.”

To test this feature, do the following (replace the URL with a valid URL for your store):

1. Close all open browser windows.
2. Open a new browser window.
3. Enter the URL below (adjust the URL to account for your store's folder structure):
   <nowiki>http://www.YourStore.com/productcart/pcadmin/login.asp<nowiki>
   You will receive the message mentioned above.

You can configure the system so that it counts the number of unsuccessful login attempts and sends a notification e-mail to the store manager when the number of invalid attempts has exceeded that limit.

The e-mail message sent to the administrator contains information on the user that was attempting to log into the system, including the user's IP address. If you determine that a hacker might be trying to attack your store, you could contact your Web hosting company and access them to deny access to your Web site to that IP address.

In V3 When you activate the above-mentioned security features, you can also choose to require users to enter an additional piece of information, consisting of a set of 6 randomized image numbers (CAPTCHA).

A random combination of 6 numbers will be shown to the user and will be required to grant access to the system. It is very difficult for an automated script to detect and enter those numbers in the corresponding field, which further limits the ability for anyone to perform a script-based attack against your store to gain unauthorized access to it. An XML parser is required on your store for this feature to work properly.

In V4 this CAPTCHA has been replaced with a new version that presents a series of letters and numbers in a distorted image. The look of this CAPTCHA can easily be modified to adjust it's colours and levels of distortion etc. The configuration file is in the ProductCart/CAPTCHA folder.

To better understand why these features were added to ProductCart, consider the following diagrams. When a form that is part of ProductCart submits a request to the shopping cart (e.g. registration of a new customer, request to log into a customer account, request to log into the Control Panel, etc.), data is exchanged as follows:

When a form that is not part of ProductCart submits a similar request to the shopping cart, data is exchanged as follows:

A hacker could perform this type of attack to either try to overload the database that powers your store (“flood attack”) by adding a large number of unnecessary records (potentially millions of records) or to try to gain unauthorized access to your store by attempting to guess the Control Panel user name and passwords, for example, via an automated script that users a database containing a large number of user name/password combinations.

The advanced security features that we have added to ProductCart can help you prevent this type of attacks by controlling the way information is posted to certain files inside the application. The following diagrams can give you an idea of what happens when these new features are enabled.

HTTP_REFERER Checking and PC Session Checking ensure that the form that is posting data to ProductCart is part of your ProductCart store. Image Number Session Checking ensures that a person, rather than a script, is posting the data. In addition, an email notification feature has been added to the system so that the store administrator is alerted when a possible attack is detected.

To activate these security features, select Settings > Adv. Security Settings from the Control Panel navigation. Note that only the master administrator has access to this feature. If you don’t see this link in the navigation it means that you are not logged into the Control Panel as the master administrator.

You can configure the following settings:

• Turn Security On or Off
  This setting turns all security settings on or off. This works storewide. All other settings are ignored when the security settings are turned off.
• Add advanced security to User Login pages
  This activates HTTP_REFERER Checking and PC Session Checking for the storefront login and registration pages.
• Add advanced security to User Registration pages
  This activates HTTP_REFERER Checking and PC Session Checking for the storefront registration page.
• Add advanced security to Affiliate Login pages
  This activates HTTP_REFERER Checking and PC Session Checking for the storefront affiliate login pages.
• Add advanced security to Affiliate Registration pages
  This activates HTTP_REFERER Checking and PC Session Checking for the storefront affiliate registration pages.
• Add advanced security to Control Panel Login page
  This activates HTTP_REFERER Checking and PC Session Checking for the Control Panel login page.
• Use random number images for the storefront Login/Registration pages
  This activates Image Number Session Checking for the storefront pages mentioned above. An additional input field is shown on those pages. Customers will need to read the string of 6 random numbers shown on the page and enter it in the corresponding input field. You can only use this option on a store that has the XML parse installed.
• Use random number images for the Control Panel Login page
  This activates Image Number Session Checking for the Control Panel login page. An additional input field is shown on the Control Panel login page. The store manager will need to read the string of 6 random numbers shown on the page and enter it in the corresponding input field. You can only use this option on a store that has the XML parse installed.
• Send a notification e-mail to store administrator when someone attempts to log into the store more than the number of attempts listed below
  This feature can alert you of a script-based attacked performed against the store. This applies to any login form in the storefront and in the Control Panel. Use the corresponding input field to set the number of attempts after which the alert is triggered.