formVista™ Installation Guide
Because many data files and utilities are included under the DOCUMENT_ROOT where they could potentially be exploited by a malicious user, formVista uses a couple of approaches to add security where necessary. The entire security model, however, is dependent upon a working .htaccess configuration so that the "deny from all" feature works in addition to .phps files being turned off.
One technique for improving the file system security for data files hosted under DOCUMENT_ROOT is to encode data files themselves as php files. For instance, formVista implements it's own session handler and stores temporary session files under formvista/site_local/var/sessions/temporary. These files are all ".php" files and the session data itself is included in a php comment. The directory itself is protected by a .htaccess file that includes the "deny from all" command. However, should someone circumvent that protection loading the session file in a browser will result in a blank page.
Other sensitive files, such as FVML source files implement a similar scheme where the file is encoded as a php file where the first line of the file is <?php exit(0); ?>.
A similar approach is used for the logfiles in formvista/site_local/var/logs.
The locations of session files, log files and the like are controlled by the master configuration file located in formvista/conf/config.php. This file is generated by setup and is well documented. To change the location of the sessions directory, for instance, see the FVTK_SESSION_ROOT define in the config file.
Note: Any edits you make to the configuration files will be lost if setup is re-run. Make backups of any edited configuration files.