How to set up a secure PHP environment on a wide base of PHP configurations

Question

I'm just finishing a CMS that I want to release as open source. The program has some ini_set() directives to set a secure environment, like session.use_only_cookies, etc. The problem is that some hosts don't allow ini_set() and only allow configuration with the php.ini file. Is there a way to set up a secure PHP environment on a wide base of PHP configurations? How do other PHP programs face this problem (e.g. Wordpress, Drupal etc.).

Answer 1

Generally speaking :

• In your software :
  • try to not depend on too many system-wide settings
  • have something that works with default settings (see the php.ini file(s) that are provided with a default PHP installation -- both from php.net, and from the major Linux distributions)
• Write some short and clear list of requirements
• Code some kind of installation script, that will :
  • check automatically for those requirements,
  • and explain how to set those that are not properly configured

Answer 2

You could output a warning if you encounter a setting that you deem unsecure.

Many web apps do it that way, e.g. if the install script isn't deleted, or the administrator has a default password.