Search code examples
phpconfigurationenvironmentini-set

How to set up a secure PHP environment on a wide base of PHP configurations

I'm just finishing a CMS that I want to release as open source. The program has some ini_set() directives to set a secure environment, like session.use_only_cookies, etc. The problem is that some hosts don't allow ini_set() and only allow configuration with the php.ini file. Is there a way to set up a secure PHP environment on a wide base of PHP configurations? How do other PHP programs face this problem (e.g. Wordpress, Drupal etc.).

Solution

  • Generally speaking :

    • In your software :
      • try to not depend on too many system-wide settings
      • have something that works with default settings (see the php.ini file(s) that are provided with a default PHP installation -- both from php.net, and from the major Linux distributions)
    • Write some short and clear list of requirements
    • Code some kind of installation script, that will :
      • check automatically for those requirements,
      • and explain how to set those that are not properly configured