FORUMS


The Form Tools forums are no longer active, but the old posts have been archived here. Please see the Help page on how to get help / report issues.

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
configuration setting
#1
I am setting up FT for our production environment and need to know what the following setting is for? We want our installation to be as secure as possible and this setting makes me feel a bit uneasy...

/**
* This setting should be enabled PRIOR to including this file in any external script (e.g. the API)
* that doesn't require the person to be logged into Form Tools. This lets you leverage the Form Tools
* functionality in the outside world without already being logged into Form Tools.
*/
$g_check_ft_sessions = (isset($g_check_ft_sessions)) ? $g_check_ft_sessions : true;

Should I set this to false to keep the "outside world" away?
Reply
#2
Hi,

Until someone more knowledgeable comes along, I'd say that this isn't something to be concerned about.

I think the code quoted is simply checking if an FT session exists which as you read the documentation you'll see is a core thing to the whole process.

Martin

(Apr 13th, 2010, 8:56 AM)marcat Wrote: I am setting up FT for our production environment and need to know what the following setting is for? We want our installation to be as secure as possible and this setting makes me feel a bit uneasy...

/**
* This setting should be enabled PRIOR to including this file in any external script (e.g. the API)
* that doesn't require the person to be logged into Form Tools. This lets you leverage the Form Tools
* functionality in the outside world without already being logged into Form Tools.
*/
$g_check_ft_sessions = (isset($g_check_ft_sessions)) ? $g_check_ft_sessions : true;

Should I set this to false to keep the "outside world" away?
Reply
#3
Hey Marcat,

No, it's nothing to worry about. The only way that setting could be subverted would be if a malicious PHP script is already running on your server, in which you have FAR bigger problems to contend with. Alternatively, if you have the PHP register_globals setting enabled (which is getting pretty rare these days and should NEVER be enabled!). But even then, it wouldn't allow anyone to get access to anything - the script just wouldn't work from a web browser.

As Martin noted, it's really just a way for the API to access some functionality.

Good question though.

- Ben
Reply
#4
Great! Thanks for the clarification...
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)