User identification

The user identification is implemented according to the classic scheme when inputting the username and password. The user name must consist of three symbols minimum and the password – of six symbols. This ensures high level of protection from the password bruteforce.

After the user registration, the database stores the username in the open form and a special symbol order/consecution (hash function) calculated based on the password using the MD5 algorithm and a special algorithm that is individual for each site. The hash function can’t be used to restore password into initial form. In addition, it is to emphasize that a user having the same name on different sites will have different hash function, which excludes occasional password restoring for users that are registered on more than one site.

Users with the same names cannot be registered. The originality is checked both on the level of the software and the database using the unique key. Most databases are not sensitive to the case of the username. In Bitrix Site Manager, the case is regarded and the exact match is required.

To store the results of successful authorization between the visitors requests on different pages, a PHP sessions mechanism is used. It is based on temporary session cookies, which are not stored on the user’s computer and cleared when the browser closes.

	Notes for administrator Considering the fact that PTP stores the session files on server in temporary files, you should check the location in the php.ini file (the session.save_path variable) and make sure this folder is highly secured from unauthorized access. If you use shared hosting, ensure that the individual folder is used for each web site and other users cannot view or modify this folder. To ensure more security, you can use the mechanism of storing session data in the database or memory by editing the session.save_handler variable in the php.ini file. It is strongly recommended not to include session identifiers into links and disable this feature by setting in php.ini file: session.use_trans_sid = 0. Please also note the session duration variable: session.cache_expire. The recommended time is 180 seconds.

After the correct username and password input, the visitor session is marked as successfully authorized. At that, no signs, names or passwords are transferred in cookie to a client, which could allow to determine this session to be authorized or falsify the results of authorization by modifying the variables in cookie.

	Notes for administrator Taking into consideration the fact that the data is transferred from/to server in the open form over the HTTP protocol, the data can be theoretically intercepted on the transport layer. Thus, when developing complex business, bank or other critical applications, it is recommended to use the HTTPS protocol when working with server and the SSL encryption. Users may be forced to use the HTTPS server when attempting to access the administrative site section.