1. The Back Enda
The back end is the admin section for Kartris. In some cases the terms 'back end' and 'admin section' may be used interchangeably.
1.1. Logging ini
test
1.2. Security
1.2.1. SSL
'Secure sockets layer' allows encrypted secure communication between a browser and your web site. This must be setup on your site itself (rather than through Kartris). Kartris cannot use shared SSL; the secure certificate must be for your domain itself where your site is running, and be properly applied through the Microsoft IIS web server (and not via some external layer as some hosts such as GoDaddy do).
1.2.1.1. Checking for SSL
The first step is to check your site has SSL enabled. To do this, simply go to the front page of your site and then edit the address in the browser so it uses HTTPS instead of HTTP. For example,
https://www.demo.xyz/
If you see an error in your browser that the site is untrusted, or that the connection was interrupted, or any other browser error, then SSL is NOT running properly on your site. You should contact the host or your developer if you believe it should be.
Only once you have verified that SSL is installed and working should you attempt to activate the SSL support within Kartris.
https://www.demo.xyz/
If you see an error in your browser that the site is untrusted, or that the connection was interrupted, or any other browser error, then SSL is NOT running properly on your site. You should contact the host or your developer if you believe it should be.
Only once you have verified that SSL is installed and working should you attempt to activate the SSL support within Kartris.
1.2.1.2. Activating Kartris's SSL support
Once logged in to the back end, find the general.security.ssl config setting. There are three possible settings ('always on SSL was introduced in Kartris v2.7000).
- 'n' = off
- 'y' = on for pages where sensitive data is transferred (login, checkout, back end, any page when user is logged in)
- 'a' = always on, SSL for all pages
Scope of SSL
SSL puts an additional overhead on a web server and a user's browser, and so in the past it has tended to be used only in places where sensitive data is transferred, especially for credit card transactions. There was seen as little point applying SSL to all traffic such as when a casual visitor is browsing the site, or a search engine is spidering it.
However, in recent years, SSL has become more widespread. Many web sites such as Google use SSL by default, and the revelations by Edward Snowden of pervasive internet surveillance by western security agencies have further highlighted the issues of eavesdropping and user-privacy. In summer 2014, Google indicated that it would start to give slight preference in its results to sites running SSL, which is likely to see a surge in the take up of 'always on' SSL.
SSL puts an additional overhead on a web server and a user's browser, and so in the past it has tended to be used only in places where sensitive data is transferred, especially for credit card transactions. There was seen as little point applying SSL to all traffic such as when a casual visitor is browsing the site, or a search engine is spidering it.
However, in recent years, SSL has become more widespread. Many web sites such as Google use SSL by default, and the revelations by Edward Snowden of pervasive internet surveillance by western security agencies have further highlighted the issues of eavesdropping and user-privacy. In summer 2014, Google indicated that it would start to give slight preference in its results to sites running SSL, which is likely to see a surge in the take up of 'always on' SSL.
1.2.2. IP Restrictions
While the username and password system provides a decent level of security, it is not fool-proof. If your computer is lost or stolen, or some spyware passes your access details to a potential attacker, then an attacker could use your details to access your site. An attacker may also attempt a brute force attack - repeated trial and error attempts and logging in.
Since the number of admin users is typically quite small, and they will normally access from one or two locations (e.g. office or home), then it is possible to apply extra security to the back end in the form of an IP address restriction. For this to work, you must have a fixed IP (or one within a relatively narrow range).
Open up the web.config file in the root of the web, and find this tag:
Since the number of admin users is typically quite small, and they will normally access from one or two locations (e.g. office or home), then it is possible to apply extra security to the back end in the form of an IP address restriction. For this to work, you must have a fixed IP (or one within a relatively narrow range).
Open up the web.config file in the root of the web, and find this tag:
<add key="BackEndIpLock" value=""/>
Into the value, add your IP address, or part of your address. Separate multiple values with a comma. For example:
000.000.000.000,111.111.111
(the first number is a single IP address, the second is a partial IP address)
000.000.000.000,111.111.111
(the first number is a single IP address, the second is a partial IP address)
If you have your own server or virtual server, and have admin access to the IIS web server, you can restrict access to the back end through this.
In IIS 6, the ability to limit access by IP is built in. In IIS 7, you might have to activate this feature separately.
Using IIS to enforce security in this way adds an additional level of security because it is completely independent of Kartris. Anyone trying to access the Kartris back end will be turned away unless their IP address matches one of those you have expressly authorized. Kartris pages won't even get run.
You can also ban particular IP addresses and ranges (although it is far better from a security perspective to 'deny all' and then allow specific addresses rather than try to ban problem IPs and ranges).
In IIS 6, the ability to limit access by IP is built in. In IIS 7, you might have to activate this feature separately.
Using IIS to enforce security in this way adds an additional level of security because it is completely independent of Kartris. Anyone trying to access the Kartris back end will be turned away unless their IP address matches one of those you have expressly authorized. Kartris pages won't even get run.
You can also ban particular IP addresses and ranges (although it is far better from a security perspective to 'deny all' and then allow specific addresses rather than try to ban problem IPs and ranges).
1.3. Navigation and toolbar buttons
This section gives a quick overview of getting around within Kartris. We'd strongly recommend you read this section as some of the useful features which will save you a lot of time and hassle but aren't necessarily obvious.
A. Front/back end toggle - this button takes you to the front end of the web site. A similar button will be visible on the front end if you are logged in as an admin, to take you to the back end. The button is context aware - if you are viewing a product, category, custom page or KB article, the button will toggle you to the same item in the front or back end.
B. Start/stop Kartris - You can open and close the front end of
Kartris using this button. When logged in as admin, you can still see
the front end, but the public will see a 'site closed' message instead.
C. Main menus - These dropdown menus provide access to all Kartris's back end features.
D. Login status - Your username is displayed here, together with four pips indicating permissions for various roles in Kartris. A solid pip (as above) indicates you have the permission, a hollow pip indicates you don't. You can hover on each pip to see the permission role it corresponds to.
E. Logout button - Does what is says on the tin.
F. Home button - Takes you to the back end home page.
G. Category treeview - this is an expandable navigation menu showing the entire product catalogue. For performance reasons, sections are loaded up if expanded via AJAX, so the entire menu (with all content) does not have to be rendered. Items that are turned off ('Show on site' is unchecked) show with grey icons.
H. Category home page - Displays the top level categories page, you can drill down to any item from here.
I. Refresh cache - For performance reasons, Kartris caches most types of content that change rarely and are not user-specific. In most cases, the caches will automatically be updated when necessary, but this button forces caches to clear just in case. It will also reset the treeview to the default position.
J. To do list - Kartris will flag tasks that need your attention such as new orders, items out of stock, and so on.
K. Search - This handy search box will find most things; products, versions, customers, language strings, config settings, etc. You can of course search for these things from within their respective sections. But generally it's just easier to put an SKU or a customer email address in here and let Kartris to the heavy lifting.
1.4. Creating and managing logins
Kartris will create an admin account for you during the setup process. However, many store owners will need to have multiple staff members accessing the back end. Kartris therefore allows an unlimited number of extra back end accounts to be created, with varying levels of access.
1.4.1. Creating logins
The login management page can be found by going to Configuration > Logins. All logins for the site will be displayed in tabular format. Checkboxes show the permissions settings for each account, as well as whether or not the login is live.
The primary login accounts for Kartris don't have any 'delete' option and the permissions for these accounts cannot be changed. This ensures that the main admin accounts are always valid, and that you cannot inadvertently lock yourself out of control by removing the primary accounts or reducing their access level.
Note that anyone with config permissions can create new users with any permissions they wish, or edit their own permissions to give themselves any permissions they choose. Bear this in mind if you grant configuration permissions to a user but deny them 'orders' permission, for example. The user would be able to edit their own permissions to give themselves 'order' permissions if they wanted.
The primary login accounts for Kartris don't have any 'delete' option and the permissions for these accounts cannot be changed. This ensures that the main admin accounts are always valid, and that you cannot inadvertently lock yourself out of control by removing the primary accounts or reducing their access level.
Note that anyone with config permissions can create new users with any permissions they wish, or edit their own permissions to give themselves any permissions they choose. Bear this in mind if you grant configuration permissions to a user but deny them 'orders' permission, for example. The user would be able to edit their own permissions to give themselves 'order' permissions if they wanted.