OverviewProductCart contains a set of features aimed at helping a ProductCart-powered store minimize the chances of a successful, script-based attack against the store. For example, a hacker may write a script that fills the User Name and Password fields in the Control Panel login page automatically, resubmitting the form with new values when access is denied.
Such attacks are performed to gain unauthorized access to the store. Renaming the Control Panel folders is the first step to avoiding such attacks.
The features discussed in this section add an additional level of protection.
Referring URL ValidationTo reduce the chances of unauthorized access to ProductCart (e.g. Control Panel, Affiliate account, customer account) from a third-party script, the system now performs a check to validate the URL of the request submitted to the login form. If the URL is not valid, the request is immediately rejected.
In other words, if you access any form handlers that authenticate a user from a location other than the ProductCart form that is supposed to be used to send information to that form handler, the request will be immediately rejected.
For example, in the Control Panel the page “login_1.asp” is used to send information to the form handler “login.asp” to authenticate a user for access to the ProductCart Control Panel. If you try to access the form handler (http://www.YourStore.com/productcart/pcadmin/login.asp) from any other page, you will be denied access and will instead receive the following message "Your attempt was denied because of security reasons. Please contact the store administrator for more information.”
To test this feature, do this feature, do the following (replace the URL with a valid URL for your store):
- Close all open browsers windows
- Open a new browser window
- Enter the URL below (adjust the URL to account for your store's folder structure)
Notification of N Unauthorized AttemptsYou can configure the system so that it counts the number of unsuccessful login attempts and sends a notification e-mail to the store manager when the number of invalid attempts has exceeded that limit.
The e-mail message sent to the administrator contains information on the user that was attempting to log into the system, including the user's IP address. If you determine that a hacker might be trying to attack your store, you could contact your Web hosting company and access them to deny access to your Web site to that IP address.
Additional, Randomized Login ID
- Turn Security On or Off- This setting turns all security setting on or off. This works storewide. All other settings are ignored when the security settings are turned off.
- Add Advanced Security to User Login Pages- This activates HTTP_REFERER Checking and PC Session Checking for the storefront login and registration pages.
- Add Advanced Security to User Registration Pages- This activates HTTP_REFERER Checking and PC Session Checking for the storefront registration page.
- Add Advanced Security to Affiliate Login in Pages- This activates HTTP_REFERER Checking and PC Session Checking for the storefront affiliate login pages.
- Add Advanced Security to Affiliate Registration Pages- This activates HTTP_REFERER Checking and PC Session Checking for the storefront affiliate registration pages.
- Add Advanced Security to Control Panel Login Page- This activates HTTP_REFERER Checking and PC Session Checking for the Control Panel login page.
- Use Random Number Images for the Storefront Login/ Registration Pages- This activates Image Number Session Checking for the storefront pages mentioned above. An additional input field is shown on those pages. Customers will need to read the string of 6 random numbers shown on the page and enter it in the corresponding input field. You can only use this option on a store that has the XML parse installed.
- Use Random Number Images for the Control Panel Login Page- This activates Image Number Session Checking for the Control Panel login page. An additional input field is shown on the Control Panel login page. The store manager will need to read the string of 6 random numbers shown on the page and enter it in the corresponding input field. You can only use this option on a store that has the XML parse installed
- Send a Notification E-mail to Store Administrator when Someone Attempts to Log into the Store More Than the Number of Attempts Listed - This feature can alert you of a script-based attacked performed against the store. This applies to any login form in the storefront and in the Control Panel. Use the corresponding input field to set the number of attempts after which the alert is triggered.