Login and security

The user identification starts with the session_start() function, which initiates a new or continues an existing session. A name is used so that the system can maintain a safe single user connection. PHP always stores a corresponding cookie in the browser of the user, which includes a unique ID. Similarly, the session must be distinct from any session that might exist on the same domain or website. Sessions are saved inside 'monofiles/session' since MonoCMS 2.0.

SimpleXML

Using SimpleXML is very common when working with xml files, like the one below:


This way we gather up all user data to a SimpleXML element and continue to user identification and data saving in the log file. If the combination of username and password given by the user, exists in this element, the user is allowed to visit the control panel. Note that while the username is stored in the session and saved in the log file, the user's password is never stored, either in session or the log file. User identification is based on password_hash function which reads the hashed password as a parameter. Hashed paswords though are saved inside the 'monofiles/log.xml' file.

Use of functions

It is easy to use some of the system functions yourself, if you wish to write your own code and pages. Here are some examples:

Load xml file of a page and print the title of the page
$page = simplexml_object('filename','l','page');
echo $page->pageinfo->page->title;

Create a simplexml element from a xml file, which is neither a page or a post (null)

simplexml_object('filename','e','null');

Load the settings using getXMLSettings class

$settings = new getXMLSettings;

Print a post title from a class

$post = new getXMLPost('path_to_xmlfile_of_post');
echo $post->title;

 or a function
echo getxmlpost('path_to_xmlfile_of_post')['title'];

Save a new post category using a simplexml element ($addcat);
simplexml_object_save('categories.xml',$addcat,null);

Cryptography

Password_hash first appeared in PHP 5.5 and we use it for password encryption. The password hash is saved and compared to the hash of the password given by the user, using password_verify.


Using password_needs_rehash, PHP checks whether or not password needs to be re-encrypted, which, usually, happens in two cases:
- When a different version of PHP, that has a different default encryption algorithm, has been installed.
- When set-cost.php gives us a different cost result than the previous one. The cost is a parameter of password_hash and password_needs_rehash functions and regulates the complexity of encryption by delaying the execution of these functions.

In the case of MonoCMS, it depends on the server performance. MonoCMS follows the PHP example of automatically finding a good cost. In case of a hardware upgrade or the system is transferred to another server, or even just a usual login, it is possible that the cost will change and force password_needs_rehash to re-hash the user password. This is done while the user is logging in. In the line above, if the new value of $cost is not the same as the value of cost contained in $password, the password is going to be re-encrypted.

Re-hashing starts in set-cost.php:

Here time is set at 100 milliseconds. We test password_hash speed, starting from cost = 4. If the test is completed in less than the given time, the cost value increases by 1 and the test is repeated. If completion time is more than given time, the test is over and we get the result.


If a password_hash test lasts more than 1 second, the cost and encrypted password, remain the same.
Below is an example of manually applying a cost:

User block

A user is blocked after a few failed login attempts, by blocking the user's ip address. A blocked user is prevented from reaching the login page. You can change the values of this function by modifiyng the next lines inside data_connect.php.

log.php and saved data

We use /monofiles/filesinfo folder to save most of our control panel data, including:

- General information like the total number of posts, the total number of pages, the date of the last failed login attempt and the last modification date of any of the above. This is how to get the total number of pages:


- To load personal account information. We do this by using either the username or the userID as a parameter. The userID is a unique code which is stored along with other account information:

In the example above, we retrieve the user's account type, using the userID that we have previously saved in the session.
Note: Despite the fact that the userID is saved alongside the username, it doesn't work as a password and it doesn't grant any access to the user.

- To update all of the above. For example, this is how we can change the total number of posts to 12:
This is how we update an account, if information is given:

We can also delete an account in a similar way:

The $id variable contains the userID.


Saving data in MonoCMS is basically done by writing to xml files.
Saving in session is also a quick method of storing information, mainly used for control panel needs and all of the data is deleted as soon as the user is logged out. Xml και htm files are useful when we want to store posts and pages data, like text, titles, images etc. We save most of the posts information inside xml files, except for the main body of a post, which is saved in a separate htm file. Xml is used for the majority of data storing such as user accounts info and logging activity.

User accounts

Account management allows multiple users to have access to MonoCMS control panel, using their username and password. There are two differrent types of accounts: Administrator and author.

As an administrator, the user has complete access to control panel, while authors can create their own posts and also have access to some personal account information modification and settings and also to some plugins.

In general:

- Only an administrator has access to account manager.
- Every administrator can create or delete accounts of other administrators and authors.
- An administrator account rights can be changed to author and backwards.
- Administrators can delete their own account as well.
- The last administrator account cannot be deleted or converted to author.
- An administrator can also be the website owner which means this account cannot be deleted.

Plugins

Plugins are PHP files, stored in 'plugins' or 'plugins/user' folders (depending on the kind of configuration the plugin is intented for, general or user). Since MonoCMS 2.0, there is also a dedicated plugins page. Plugin files are included in the end of every control panel page. For a plugin file to work, we must also create a.txt file with the same filename and store it together with its php counterpart.

Extensions

Extensions are also PHP files, stored in 'monofiles' folder and included before the start of the html of a control panel page. A .txt file which corresponds to the extension contains information about the extension, is saved inside 'monofiles/ext'. The .txt file is needed for the extension to work.

Backup

Most web servers are usually configured to keep your website backup, but it is really easy with MonoCMS as well. More specifically:

/monofiles/autosaves/: Contains all posts.
/monofiles/savedpages/: Contains all pages.
/monofiles/filesinfo/: Contains all user accounts, log info and system settings.




Last update on 16 Jun, 2022.