VOOZH about

URL: https://deepwiki.com/MahoCommerce/maho/5.2-security-and-authentication

⇱ Security and Authentication | MahoCommerce/maho | DeepWiki

Loading...
Loading...
Last indexed: 15 May 2026 (ea8ab8)
Menu

Security and Authentication

This document covers Maho's security infrastructure, including encryption at rest, request-level protections (CSRF, proof-of-work, session validation), admin authentication mechanisms, and browser security headers. The focus is on the technical implementation of these security layers within the modernized architecture.

For email-related security configurations, see Email System. For session storage details, see Session Management. For admin-specific access control (ACL), see Admin Architecture. For activity tracking and audit trails, see Logging and Activity Tracking.

Encryption System

Maho uses modern authenticated encryption for sensitive data at rest. The encryption key is stored in app/etc/local.xml and all encryption operations are centralized through Mage_Core_Helper_Data and Mage_Core_Model_Encryption.

Encryption Architecture



Diagram: Encryption System Architecture


Sources: <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Helper/Data.php#L23-L78" min=23 max=78 file-path="app/code/core/Mage/Core/Helper/Data.php">Hii</FileRef>


Encryption Methods































MethodPurposeReturn TypeImplementation
Mage::helper('core')->encrypt($data)Encrypt plaintext stringstringBase64-encoded ciphertext with nonce
Mage::helper('core')->decrypt($data)Decrypt ciphertextstringAuthenticated decryption via Sodium
Mage::helper('core')->getEncryptor()Get encryption model instanceMage_Core_Model_EncryptionFactory pattern via Mage::getModel()


The getEncryptor() method resolves the model class from the configuration path global/helpers/core/encryption_model, defaulting to Mage_Core_Model_Encryption.


Sources: <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Helper/Data.php#L65-L78" min=65 max=78 file-path="app/code/core/Mage/Core/Helper/Data.php">Hii</FileRef>, <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Helper/Data.php#L23-L23" min=23 file-path="app/code/core/Mage/Core/Helper/Data.php">Hii</FileRef>




Request Security


CSRF Protection (Form Keys)


All state-changing admin requests require a valid form key. This is enforced at the controller level in Mage_Adminhtml_Controller_Action.




Diagram: CSRF Protection via Form Keys


Implementation:


    

  • Controllers specify actions requiring validation via $_forcedFormKeyActions. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Adminhtml/Controller/Action.php#L48-L48" min=48 file-path="app/code/core/Mage/Adminhtml/Controller/Action.php">Hii</FileRef>
    • 

  • The base controller's preDispatch() checks the form key for all POST requests when the user is logged in. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Adminhtml/Controller/Action.php#L174-L176" min=174 max=176 file-path="app/code/core/Mage/Adminhtml/Controller/Action.php">Hii</FileRef>
    • 

  • If validation fails, an error message is added to the session and the user is redirected to the startup page. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Adminhtml/Controller/Action.php#L191-L194" min=191 max=194 file-path="app/code/core/Mage/Adminhtml/Controller/Action.php">Hii</FileRef>
    • 

  • The _validateFormKey() function is also used in customer account controllers to protect sensitive operations like login.
    • 



Sources: <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Adminhtml/Controller/Action.php#L148-L197" min=148 max=197 file-path="app/code/core/Mage/Adminhtml/Controller/Action.php">Hii</FileRef>


Bot Protection (Maho Captcha)


Maho integrates a modern Proof-of-Work (PoW) based captcha system using Altcha. This system protects forms from automated submissions without requiring user interaction in most cases.


    

  • Frontend Integration: Forms are selected via CSS selectors configured in the admin path admin/captcha/selectors. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Maho/Captcha/Helper/Data.php#L23-L23" min=23 file-path="app/code/core/Maho/Captcha/Helper/Data.php">Hii</FileRef>
    • 

  • Verification Logic: The backend verifies the PoW payload using Maho_Captcha_Helper_Data::verify(). It uses the system encryption key as the HMAC secret. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Maho/Captcha/Helper/Data.php#L39-L40" min=39 max=40 file-path="app/code/core/Maho/Captcha/Helper/Data.php">Hii</FileRef>, <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Maho/Captcha/Helper/Data.php#L89-L137" min=89 max=137 file-path="app/code/core/Maho/Captcha/Helper/Data.php">Hii</FileRef>
    • 

  • Replay Protection: Validated payloads are cached using the maho_captcha tag to prevent reuse. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Maho/Captcha/Helper/Data.php#L101-L104" min=101 max=104 file-path="app/code/core/Maho/Captcha/Helper/Data.php">Hii</FileRef>, <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Maho/Captcha/Helper/Data.php#L128-L128" min=128 file-path="app/code/core/Maho/Captcha/Helper/Data.php">Hii</FileRef>
    • 

  • JavaScript Setup: The MahoCaptcha JS object handles the PoW challenge, manages the Altcha widget state, and replicates the payload across all matching forms. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/public/js/maho-captcha.js#L9-L175" min=9 max=175 file-path="public/js/maho-captcha.js">Hii</FileRef>
    • 

  • Controller Entry Point: Challenges are requested via Maho_Captcha_IndexController::challengeAction. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Maho/Captcha/controllers/IndexController.php#L14-L32" min=14 max=32 file-path="app/code/core/Maho/Captcha/controllers/IndexController.php">Hii</FileRef>
    • 



Sources: <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Maho/Captcha/Helper/Data.php#L20-L138" min=20 max=138 file-path="app/code/core/Maho/Captcha/Helper/Data.php">Hii</FileRef>, <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/public/js/maho-captcha.js#L1-L176" min=1 max=176 file-path="public/js/maho-captcha.js">Hii</FileRef>, <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Maho/Captcha/controllers/IndexController.php#L11-L34" min=11 max=34 file-path="app/code/core/Maho/Captcha/controllers/IndexController.php">Hii</FileRef>




Admin Authentication


Authentication Flow


The admin authentication process is managed by Mage_Admin_Model_Session and Mage_Admin_Model_User.


    

  • ACL Check: Individual controllers implement _isAllowed() to check specific resource permissions via the session singleton. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Adminhtml/Controller/Action.php#L74-L77" min=74 max=77 file-path="app/code/core/Mage/Adminhtml/Controller/Action.php">Hii</FileRef>
    • 

  • Resource Constant: Controllers define their required permission using ADMIN_RESOURCE, which defaults to admin. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Adminhtml/Controller/Action.php#L34-L34" min=34 file-path="app/code/core/Mage/Adminhtml/Controller/Action.php">Hii</FileRef>
    • 

  • Login Records: The resource model Mage_Admin_Model_Resource_User tracks login dates and counts. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Admin/Model/Resource/User.php#L45-L61" min=45 max=61 file-path="app/code/core/Mage/Admin/Model/Resource/User.php">Hii</FileRef>
    • 



Sources: <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Adminhtml/Controller/Action.php#L74-L77" min=74 max=77 file-path="app/code/core/Mage/Adminhtml/Controller/Action.php">Hii</FileRef>, <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Admin/Model/Resource/User.php#L45-L61" min=45 max=61 file-path="app/code/core/Mage/Admin/Model/Resource/User.php">Hii</FileRef>


User Management and Roles


Admin users and their permissions are stored in the database and managed via resource models.






















EntityTableModel
Admin Useradmin_userMage_Admin_Model_User
Admin Roleadmin_roleMage_Admin_Model_Role


The Mage_Admin_Model_Resource_User handles persistence, including unique field validation for emails and usernames. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Admin/Model/Resource/User.php#L25-L38" min=25 max=38 file-path="app/code/core/Mage/Admin/Model/Resource/User.php">Hii</FileRef>


Sources: <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Admin/Model/Resource/User.php#L13-L240" min=13 max=240 file-path="app/code/core/Mage/Admin/Model/Resource/User.php">Hii</FileRef>




Data Integrity and Serialization


Maho has modernized its data handling to prefer JSON over legacy PHP serialization for security reasons (mitigating PHP Object Injection).


    

  • Unserialization Helper: Mage_Core_Helper_UnserializeArray acts as a safe wrapper. It first attempts json_validate() and jsonDecode(). <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Helper/UnserializeArray.php#L33-L35" min=33 max=35 file-path="app/code/core/Mage/Core/Helper/UnserializeArray.php">Hii</FileRef>
    • 

  • Legacy Fallback: If the input is not JSON, it falls back to unserialize() with allowed_classes set to false. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Helper/UnserializeArray.php#L38-L41" min=38 max=41 file-path="app/code/core/Mage/Core/Helper/UnserializeArray.php">Hii</FileRef>
    • 

  • Passthrough Logic: If the data is already an array (e.g., from a previous load), the helper returns it as-is to prevent double-processing errors. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Helper/UnserializeArray.php#L29-L31" min=29 max=31 file-path="app/code/core/Mage/Core/Helper/UnserializeArray.php">Hii</FileRef>
    • 



Sources: <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Helper/UnserializeArray.php#L13-L47" min=13 max=47 file-path="app/code/core/Mage/Core/Helper/UnserializeArray.php">Hii</FileRef>




Template and Block Security


To prevent arbitrary code execution in CMS content and email templates, Maho uses allowlists for blocks.


    

  • Block Directive: The blockDirective in Mage_Core_Model_Email_Template_Filter checks if a block type is allowed via the _permissionBlock model. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Model/Email_Template_Filter.php#L141-L154" min=141 max=154 file-path="app/code/core/Mage/Core/Model/Email_Template_Filter.php">Hii</FileRef>
    • 

  • Permission Logging: If an unauthorized block type is requested in a template, Maho logs a "Security problem" message and refuses to render the block. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Model/Email_Template_Filter.php#L153-L153" min=153 file-path="app/code/core/Mage/Core/Model/Email_Template_Filter.php">Hii</FileRef>
    • 



Sources: <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Core/Model/Email/Template/Filter.php#L141-L181" min=141 max=181 file-path="app/code/core/Mage/Core/Model/Email/Template/Filter.php">Hii</FileRef>




Browser Security Headers


Maho configures several security headers via .htaccess and PHP to protect against common web attacks.


    

  • X-Content-Type-Options: Set to nosniff to prevent MIME-type sniffing. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/public/.htaccess#L73-L73" min=73 file-path="public/.htaccess">Hii</FileRef>
    • 

  • X-XSS-Protection: Set to 1; mode=block to enable browser XSS filtering. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/public/.htaccess#L76-L76" min=76 file-path="public/.htaccess">Hii</FileRef>
    • 

  • Cache Control: Admin controllers explicitly set headers to prevent sensitive data from being cached by browsers. <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Adminhtml/Controller/Action.php#L151-L153" min=151 max=153 file-path="app/code/core/Mage/Adminhtml/Controller/Action.php">Hii</FileRef>
    • 



Sources: <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/public/.htaccess#L71-L78" min=71 max=78 file-path="public/.htaccess">Hii</FileRef>, <FileRef file-url="https://github.com/MahoCommerce/maho/blob/ea8ab87e/app/code/core/Mage/Adminhtml/Controller/Action.php#L150-L153" min=150 max=153 file-path="app/code/core/Mage/Adminhtml/Controller/Action.php">Hii</FileRef>