next up previous contents
Next: Management Issues Up: SciCon Installation Document Previous: Installation   Contents

Subsections

Configuring SciCon $ ^{\textrm{PHP}}$

Security issues

Wither SSL..

If you are not taking credit cards online, then you might decide to not configure SSL into your server. This is especially true if you do not purchase a commercial-grade certificate from a certifying authority. Some users will be confused when their browser complains about your server's certificate being invalid or untrustworthy. Moreover it could be argued that the contact author's password is unlikely to be target for crackers snooping the network. Any changes to a submitted paper's details are emailed back to the contact author anyway.

You might decide to configure SSL just for the administrative tree(s) of your server, which are only visited by your group. This is useful because the traffic between the server and your clients will be encrypted, including the login access to your administrative pages. In this case you will need to provide two web tree configurations: one for the general web tree, and one for the administrative pages. For this case you do not need to worry about purchasing a certificate for your server. You may instead sign your own certificate.

Credit card security

The necessary code for taking 'semi-online' credit card information is included. By 'semi-online' I mean that a form for credit card information allows us to retrieve and store the credit card details. However the credit card transaction is manually done using debit machines rented for this purpose. It is of course preferable to avoid credit card issues where possible. Thus you should investigate online services available in your country which transfer the burden of online transactions elsewhere. You should aim to make the decision about your payment policies, and purchase the necessary service contracts, at least 4 months prior to opening online registration on your web site.

If you use the code provided for taking credit cards, then you MUST purchase a commerical-grade certificate for your server, and you must configure the registration pages to force users over the secure connection while taking their credit card information. In my opinion you must also allow people to fax their credit card information instead, if they so chose. The code is included which allows this. There will always be a few people who will claim that your secure server ``doesn't work''. In fact, we have seen a few cases where it seems likely that firewall configurations on their site interfere with connections over the HTTP SSL port (number 443).

There are some extra precautions to take as well to better secure credit card information on your server:


next up previous contents
Next: Management Issues Up: SciCon Installation Document Previous: Installation   Contents
Denice DEATRICH 2003-10-12