24/7 Support: 800.608.6482

Get Started

Reference Guide

Domain Settings

Information

Domain Name: The domain name where your store will be hosted. It is usually set up when your first store is created and rarely changes after that. You can have multiple stores under the same domain. If you change your domain, Miva Merchant usually makes the change for you.
IP Address: The IP address of your store on the server
License #: The license number that was entered when the store was created.
Partner: The partner is whoever you purchased your store from. In some cases this is Miva Merchant, but there are also distributors who sell stores.
Version: The Miva Merchant software version that is currently installed.
Licensed Concurrent Users: This is a static field that tells you how many concurrent licenses you have. In Miva Merchant Version 9, you can create as many admin accounts as you wish, but the number of admin users who can login at the same time is limited by the number of licenses that you've purchased.
Manage Additional Licenses: See Admin User Licensing in Version 9.
Admin Sessions: A static label that tells you how many admin users are currently logged in. See also Domain Settings > Administrative Sessions.
Reset Session Statistics: The Admin Sessions field tells you how many admin users are currently logged in, and the largest number of admin users that have ever been logged into your store at the same time. For example, you might see an Admin Sessions field that looks like this:

Session

If you reset the session statistics, the Admin Sessions field would look like this: Session

Registration

The fields in this tab are usually filled out when your first store is created.

Site Configuration

Notes for the Site Configuration tab:

  • The settings in this tab are for advanced users. It's important that you understand the use of these settings before you make any changes.
  • In PR8 Update 9, cookie settings were moved to their own tab. See Domain Settings > Domain Details tab > Cookie Settings section.
  • In PR8 Update 9, mail settings were moved to their own tab. See Global Settings > Domain Settings > Mail Settings Tab
Non-secure URL to Miva Merchant: The http URL to your on-line store.
Secure URL to Miva Merchant: Normally this is the same as the non-secure URL to Miva Merchant, but using https. However, it can be different if you are using a shared SSL certificate.
Include Session Parameters in Miva Merchant URLs: In general it should not be necessary to change this setting. This setting only affects the use of a session ID as an URL parameter and only applies if you are using longlinks. If you are using short links, your store will ignore the "include session parameters" settings.
  • Never: the session ID will never be included as an URL parameter.
  • When transitioning between Secure and Non-Secure URLs: Non-secure pages generate unencrypted cookies that contain a session id. When you move to a secure page, the session ID is passed as an URL parameter and is copied to an encrypted cookie because PCI compliance requires that secure pages have separate cookies.
  • Always: the session ID always appears as an URL parameter.
Secure URL to Administration: The https URL to the Miva Merchant admin program.
Root Directory for Graphics: The directory on the server that contains all graphics and graphics subdirectories.
Secure Root Directory for Graphics Same purpose as the "non-secure" root directory for graphics, but applied to your secure store path.
Base URL for Graphics: The URL that points to the root directory for graphics.
Secure Base URL for Graphics Same as the Base URL for Graphics, but used by your secure store, if you have one.
Root Directory for Modules Sets the relative directory for modules.
Secure Root Directory for Modules Same purpose as the "non-secure" root directory for modules, but applied to your secure store path.
Use Strict Validation for Codes: When checked, requires that you enter only alphanumeric characters, the underscore ( _ ) and hyphen (-) for the Login and all codes in Miva Merchant, such as the product code, category code, etc. Strict Validation is recommended and is the default. Caution: If you clear the Use Strict Validation for Codes check box, Miva Merchant will allow other characters. However, symbols and punctuation should generally be avoided, and some symbols (such as the %, &, and #) are never allowed for a code. If, after being off, Strict Validation is turned on again, codes which had been valid will become invalid.
Preferred Ciphers: The Preferred Cipher list is a comma separated list of OpenSSL cipher strings. When Miva Merchant needs to encrypt something in the database, it looks in this field and selects a cryptographic algorithm.
  • The default list for newly installed stores is: aes-256-cbc,aes-128- cbc,bf-cbc
  • When a store is upgraded to PR8 Update7, the list is initially blank. The software will use a cipher that is compatible with all versions of the Miva Merchant software.
  • Only "cbc" mode ciphers are used for order encryption as of PR8 Update7, so they have to have "cbc" in the string somewhere:
    • aes-256-cbc is AES256
    • aes-128-cbc is AES128
    • bf-cbc is 128-bit Blowfish (used by releases before PR8 Update7)
JavaScript: The admin interface uses about 80 JavaScript files. These files do not affect your on-line store, but are only used to support features in the admin interface. This field gives you options for organizing the files that can make the admin interface faster.
  • Separate: Leave the JavaScript in separate files.
  • Combined: Combine all of the JavaScript into a single file. Instead of loading a bunch of JavaScript files, the admin interface only has to load one.
  • Combined and Minified: Combining and "mini-fying" theoretically further improves load time by removing all white space in the file. The admin interface only has to load one huge line of JavaScript.

Password Settings

These settings affect accounts for Miva Merchant administrators who are using the admin interface. The default settings meet PCI compliance. See also: To Set Password Security for Customer Accounts.

Most of the settings in this section are obvious. A few that are not obvious are documented below.

Enable TOTP (Google Authenticator) Two-Factor Authentication: Check this box to enable two factor authentication in the admin interface. See Two Factor Authentication in Miva Merchant.
TOTP Time Step:

The frequency with which the QR code authenticator application on your cell phone will generate an authorization code.

NOTE: If you are using Google Authenticator on your cell phone, you must leave this field at the default setting (30).

94
TOTP Start: Defaults to "0", which is the Unix epoch time: January 1st 1970 at midnight. See: http://en.wikipedia.org/wiki/Unix_time NOTE: If you are using Google Authenticator on your cell phone, you must leave this field at the default setting (0).
TOTP Window:

The number of recently generated authentication codes that you can enter to log into the admin interface.

Defaults to 1 (one before and one after the current authentication code). If you leave this field set at 1, you could use any of three authentication codes to log into the admin interface:

  • The authentication code you are currently viewing on your cell phone.
  • The previous authentication code.
  • The next authentication code that you generate.

This mechanism for allowing more than one authentication code to be valid at the same time is used to handle the possibility that the clock on your cell phone is slightly different from the system clock on your store server.

If you set this field to "2", you could log into the admin interface using any one of five authentication codes:

  • The authentication code you are currently viewing on your cell phone.
  • The previous two authentication codes.
  • The next two authentication codes that you generate.

NOTE: If you are using Google Authenticator on your cell phone, you must leave this field at the default setting (1).

TOTP Digits:

The length of the authentication code that you must enter to log into the admin interface.

NOTE: If you are using Google Authenticator on your cell phone, you must leave this field at the default setting (6).

50

Two Factor Authentication in Miva Merchant

Two factor authentication is often used when you supply your credentials to gain access to a site or service. When you login to the Miva Merchant admin interface, you have to enter your username and password (your "first factor" authentication). With two factor authentication, you not only have to enter your username and password, but you typically would have to use some other device or channel to get access. For example, in addition to your username and password, you might have to enter a special authorization code that you get from your cell phone.

The idea behind two factor authentication is that, if someone tries to gain access to your account, they not only need your username and password, but they would need your cell phone as well.

Using Miva Merchant two factor authentication is optional, but it provides another layer of security for your admin user accounts. Miva Merchant second factor authentication does not apply to customer accounts in your on-line store.

To Use Miva Merchant Two Factor Authentication:

  1. Install Google Authenticator, or another QR code authenticator on your cell phone. See: https://support.google.com/accounts/answer/1066447?hl=en
  2. Go to Menu> Domain Settings > Domain Details tab > Password Settings section.
  3. Check the Enable TOTP checkbox. (TOTP stands for "time based one time password".)
  4. Go to Menu> Users. Edit a user.
  5. In the Edit User screen, click Manage Two-Factor Authentication.
  6. Packaging Rules

  7. In the Two-Factor Authentication dialog box, click Enable.
  8. Miva Merchant will generate a "QR code" which is basically a two-dimensional barcode.

    Two Factor Identification

  9. Start the QR code authenticator application (like Google Authenticator) that you installed on your cell phone.
  10. Take a picture of the Miva Merchant QR code with your cell phone.
  11. Open a browser and go to your Miva Merchant admin URL. In addition to your username and password, you'll see that there is a new field for an authentication code.
  12. Miva Merchant Login

    9.1. Enter your username and password as you normally would.

    9.2. Use the QR code authenticator on your cell phone to generate an authentication code. Enter this code in the Authentication Code field.

    9.3. Click Sign In.

Notes on Miva Merchant Two Factor Authentication

  • This type of two factor authentication is time based.
    • It assumes that the system time on your store server, and the system time on your cell phone are both correct. If the time on either your server or your cell phone is not correct, it can cause two factor authentication to fail and you wouldn't be able to log into the admin interface.
    • By default, the authentication codes are only valid for 60 seconds.
    • If your authentication code expires, you can generate another one.
  • When you click on the Enable TOTP checkbox (Menu > Domain Settings > Domain Details tab > Password Settings section), you are enabling two factor authentication for the admin interface of the current store. However:
    • Every admin user who wants to use two factor authentication must download a QR code authenticator to their cell phone.
    • You must generate a separate QR code for each admin user that wants to use two factor authentication.
    • Every admin user who wants to use two factor authentication has to take a picture of the QR code that was generated for their admin account.
  • Once you enable TOTP in the admin interface, all admin users will see the Authentication Code field when they login. However, if one of your admin users is not set up for two factor authentication, they can ignore the Authentication Code field. They can login just by entering their username and password as usual.

Timeouts

Shopping Interface Cookie Expiration: Determines how long the session cookie is valid. The default is set to one year. Your cookie should always be set to a value higher than your Basket Timeout, otherwise a shopper could appear to lose a live basket.
Shopping Interface Secure Cookie Expiration:

If the customer is on a non-SSL page in your store, Miva Merchant generates a non-secure session cookie. If the customer is on an SSL page in your on-line store, Miva Merchant generates a secure session cookie.

This field determines how long the secure session cookie is valid. The default is set to one year. Your cookie should always be set to a value higher than your Basket Timeout, otherwise a shopper could appear to lose a live basket.

Administration Session Timeout: PCI compliance requires that the admin session timeout be 15 minutes or less. When the timeout occurs, admin users will be automatically returned to the login screen.
Administration Session Failed Login Lockout Time: The lockout time occurs when an admin user exceeds the max number of login attempts. PCI compliance requires a lockout time of 30 minutes or longer.
Administration Session Failed Login Attempts Allowed: Sets the max number of login attempts for the Miva Merchant admin interface. The requirement for PCI compliance is 6 login attempts or less.
Failed Login Delay: Enter a value, in milliseconds, that an admin user must wait after entering an incorrect username or password. For example, if you enter 5000 milliseconds here, an admin user has to wait five seconds after entering an incorrect username or password before they can try again.

Upload Settings

Image Extension Types: The Image Extensions Types are a simple security check for file uploads that are done through the admin interface. You can put any file extensions in this box. When someone tries to upload a file to your store through the admin interface, the system checks the extension of that file against the list of extensions in this box. If it isn't on the list of allowed file extensions, the upload will fail.
JPEG Image Quality:

Use this field to control the quality of jpg images that you upload. Reducing the image quality, even from 100% to 95%, can significantly reduce the image size.

  • This field has no effect on any other format, such as .gif.
  • This field has no effect over the "older" types of images, such as Legacy Images. This field only affects images that you uploaded as Additional Images or imported using Image Types.

Mail Settings

In releases before PR8 Update 9, store owners had two choices for using a mail server:

  • Use a mail server on the same machine that hosted their store.
  • Use an external mail server, such as SendGrid, Google Apps, or your company's exchange server, with no credentials. Miva Merchant could only connect to an external mail server if there was an account on the mail server that did not require a username or password.
  • Beginning in PR8 Update 9, you can continue to use the mail server on your store's machine, but you can also connect to an external mail server account that requires a username and password.

    Miva Merchant will also detect and support the following SMTP authentication standards on an external mail server:

  • PLAIN
  • LOGIN
  • DIGEST-MD5
  • CRAM-MD5
Mail Server: The address of your Web host's mail server that sends out e-mail. This is not an e-mail address. You can get this address from your hosting company. In some cases the host provides this information in a FAQ page. If you cannot find the information on the website, contact the hosting company directly.
Encryption:

The Encryption field is only used if you are connecting to an external mail server.

  • Plaintext: Credentials and emails are sent to the mail server in plain text.
  • STARTTLS: Select this option to have credentials and emails encrypted if your mail server uses STARTTLS.
  • SSL: Select this option to have credentials and emails encrypted if your mail server uses SSL.
  • Port: the connection port on your mail server.
Mail User: If you are connecting to an external mail server, enter the account username here.
Mail Password: If you are connecting to an external mail server, enter the account password here.
Add Angle Brackets to Email Addresses: Some hosts require that angle brackets enclose the e-mail address. For example, documentation@miva.com would be entered as . Contact your hosting company to find out if you need to use angle brackets.
Mail Method: Some web hosts use an optional commerce library method to send email. If yours does, they will either set this up for you, or will tell you what to enter here. In general, leave this field blank.

Cookie Settings

These settings should only be modified by advanced users.

Non-secure Miva Merchant Cookie "domain", Non-secure Miva Merchant Cookie "path"

Essentially, the cookie domain and cookie path give you some control over when a browser sends a cookie back to a web server. If you specify a cookie domain and path, the browser will only send the cookie back to the web server when the user requests a page in that domain and path. See: http://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path for examples.
Non-secure Miva Merchant Cookie Output:

Depending on your service provider and the type of payments that you accept, your store may be examined routinely by a PCI scanner. A PCI scanner checks your on-line store for a number of potential issues, to make sure that your store is PCI compliant. One issue that PCI scanners look for is to see if secure (HTTPS) pages in your store are setting cookies that have the "secure flag" set.

See: http://en.wikipedia.org/wiki/HTTP_cookie for basic information about cookies and secure cookies.

If the scanner sees that you have a secure page which is setting a cookie without the secure flag, it may trigger a PCI compliance error. The settings is this section give you some control over how your store pages can set cookies.

  • Set only on HTTP connections, without secure flag: If the customer is on a secure page in your store, they will only receive a cookie if it has the secure flag set. This is the default and the safest option. It is also the condition that PCI scanners check for, so if you keep this option, you will never get a secure flag error from a PCI Scanner.
  • This option assumes that you are using the Miva Merchant default SSL page settings. See Appendix 5: Default HTTP/HTTPS Pages for more information.

  • Set on both HTTP and HTTPS connections, without secure flag: This option will allow secure and non-secure pages to set cookies without the secure flag. It is the least safe option and the one most likely to generate an error from a PCI scanner. Some Miva Merchant store owners have selected this option to correct a rare situation. If your store has a custom mixture of secure and non-secure pages, and a customer starts on a secure page and visits a non-secure page before checking out, it's possible that the basket could appear empty because Miva Merchant has lost the session ID associated with the basket. If you select this option the customer's basket (and cookie) should be ok, but you may trigger a false positive from the PCI scanner.
  • Set only on HTTPS connections, with secure flag: Choose this option if you have modified your store so that every page uses SSL. Every cookie will have the secure flag set.
  • SSL If you select this option and you do not use SSL on all of your store pages, customers will not be able to go through checkout.

Secure Miva Merchant Cookie "domain:", Secure Miva Merchant Cookie "path:"

The same as the "non-secure" settings, but applied to your secure store.

Upgrade Settings

Set the frequency that you would like to check for software upgrades.

Upgrade Stream:

It is rarely necessary to change this setting. Periodically, Miva Merchant offers a public beta release of the Miva Merchant software. If you want to participate in the beta, you change your Upgrade Stream to beta.

When the beta becomes available, you click on the "Eligible for Updates" box and the beta will be downloaded to your store server. It is common for store owners to have a "development" store on their server, and a "production" store. Customers who are interested in the beta software download it to their development site, where it will not interfere with their production store. Please contact Miva Merchant customer support if you are not sure how to do this.

Check for Upgrades: Set the frequency that you would like to check for software upgrades.
Check for Upgrades: Set the frequency that you would like to check for software upgrades.
Review Installed Updates: Lists all of the updates that have been applied to your store's current production version. The list is erased each time you install a new production release.

Looking for Developer Docs?

We have a whole section for that, including: Developer Training Series, Template Language docs, Module Development tutorials and much, much more.

Head to the Developer Section

Miva believes that all online businesses should have access to a scalable ecommerce platform that can meet their unique business requirements. Miva offers PCI compliant ecommerce, hosting, and custom website design and development solutions. Miva customers have processed over $100 billion in online sales since 1997.

Copyright © 2016 Miva, Inc - All Rights Reserved   Privacy Policy | Store Policy

Links
Contact Us
Receive Tips & Updates

Copyright © 2016 Miva, Inc - All Rights Reserved

Back To The Top