ADMIN: System → Configuration → Web Tab
- Add Store Code to Urls - Inserts the current store code (as defined in System > Manage Stores) into each URL. Scope: global.
For a store view with the code “store2en” the URL will have the format:
Note: If you use web server rewrites, the “index.php” filename in the above URL will be hidden.
- Redirect to Base URL if requested URL doesn’t match it - Redirects traffic to your base URL rather than 404 pages. Should be “no” for multi-store set ups. Scope: global.
- Use Web Server Rewrites
Each page in a Magento website is generated starting with the same main PHP script. This file is called index.php and normally resides in the root folder of the website. In order to run this script for each page, each Magento URL typically looks like this:
Using a technique called web server rewrites, Magento can hide the file name portion of the URL, making the URL look like this:
To hide the “index.php” part of the URL is common practice in most PHP-based content management systems. It has no measureable effect on the usability or performance of your website and will not affect your website’s ranking in the search engines.
- Base URL - Full address to the root Magento folder for the website (where the index.php file is located). The URL should include a trailing slash.
- Base Link URL - Typically points to the same folder as Base URL. A simple way to refererence the base URL is
for the unencrypted URL in the Unsecure section, and
in the Secure section.
- Base Skin URL - Points to the folder where the skin for this website is located. By default, this folder is called “skin”. For the Unsecure URL, you can designate this folder using
If you are running multiple sites off the same Magento folder structure, you may want to use different skin folders for each site, e.g. to use a different layout for each site. Using a different folder is also useful if you want to store your skins outside the Magento folder.
- Base Media URL - Points to the folder where the catalog images for this website are located. By default, this folder is called “media”. For the Unsecure URL, you can designate this folder using
If you are running multiple sites off the same Magento folder structure, you may want to use different media folders for each site, e.g. if you want the ability to backup and restore them separately. Using a different folder is also useful if you want to store your images outside the Magento folder.
Magento can force the browser to use SSL encryption both in its frontend and backend. If you install an SSL certificate for your domain name, you can request that Magento uses encrypted “https” URLs instead of unencrypted “http” URLs in the frontend (the store itself) and/or in the backend Admin system. These settings are located at the bottom of the “Secure” section of this page.
This section is used to specify the pages in Magento’s own content management system (CMS) that are used for the starting page of the website, and for “page not found” errors (read more about the Magento CMS).
- Default Web URL - Designates the page that is loaded for the base URL, i.e. when the URL does not contain a URL identifier. Scope: store view.
The default value is “cms”. If you want the website to start by showing a blog, and you have installed this blog in a folder called “magento/blog/”, you can set the Default web url to “blog”.
- CMS Home Page - After a home page has been created in Magento’s CMS (via CMS > Pages > Manage Content), select it from the drop down here to assign it as the home page of your website. Scope: store view.
- Default No-route URL - contains the URL of the page you want loaded into the browser if an http 404 “not found” error occurs. The default value is “cms/index/noRoute”. Scope: store view.
- CMS No Route Page - After a page-not-found page has been created in Magento’s CMS (via CMS > Pages > Manage Content), select it from the drop down here to assign it as the 404 page of your website. Scope: store view.
- CMS No Cookies Page
- Show Breadcrumbs for CMS Pages - Scope: store view. “Breadcrumbs” (also called “you-are-here” lines) appear by default on each catalog page in Magento:
Home / Electronics / Cameras / Accessories
If you want similar breadcrumbs to appear in the pages that you have made yourself using the Magento CMS, select Yes for the Show breadcrumbs for CMS pages setting. The breadcrumb for a CMS page contains its Title, e.g.
Home / About us
- Disallow Voting in a Poll Multiple Times from Same IP-address -
Magento can ensure that each IP address only has one vote in each of your polls (read more about polls).
- Yes : Limits each IP address to only one vote in each poll.
Note that multiple users may have legitimate reasons to share the same IP address, e.g. by using the same computer to access your site or by using an IP sharing setup such as a home router.
- Cookie Lifetime
- Cookie Path
- Cookie Domain
- Use HTTP Only
The Cookie path allows you to make Magento cookies available in other directories (folder paths) than the current. If you want to make cookies available anywhere in a site you should set this value to a single forward slash:
The Cookie Domain is mainly used to control whether cookies will be visible in subdomains (e.g. http://subdomain.domain.com/ or not. To ensure that cookies are available in all your subdomains, enter your domain name prefixed with a period:
The Cookie Lifetime setting controls when the browser deletes the Magento cookies automatically. The default value is 3600 which means that the cookies remain in the browser for one hour (60 minutes * 60 seconds) unless the browser deletes the cookies for some other reason.
Information, transmitted by a client to a server is available (accessible) for a server as environment variables. If any information unit is not transmitted or the server is set up incorrectly, then corresponding variable will be empty (its value will be undetermined). Magento allows you to use some of the session variables to validate your customers’ sessions.
Enabling and disabling these validation options are security features designed to help prevent session fixation attacks, session poisoning, and session stealing. The point of the checks is to ensure that the visitor is who they say they are by checking the enabled values against what Magento has stored in the $_SESSION data for that user. By default the validation of these variables is disabled (options are set to “No”). To enable the validation set the desired ones to “Yes”.
Enabling these vars can help prevent these types of issues but could slow down the server and the speed of the session for the customer/visitor. It’s wise to experiment a little with these settings to meet the needs and profile of your customers. Setting all of them to “yes” can be unduly restrictive and will not allow customers coming in through proxy servers or from behind firewalls to shop on your site. More information about each of session variables and their meaning can be obtained from a Unix system administration resource.
- Validate REMOTE_ADDR - Checks that the IP Address of a request matches what’s stored in the $_SESSION data. If a different IP address is detected then the session is invalidated.
- Validate HTTP_VIA - HTTP_VIA is not empty if a transaction came in through a proxy. Proxy traffic can be validated to have come at least from the same proxy. Checks that the proxy Address of a request matches what’s stored in the $_SESSION data. If a different proxy address is detected then the session is invalidated.
- Validate HTTP_X_FORWARDED_FOR - HTTP_X_FORWARDED_FOR is not empty if a transaction came in through a proxy. Value is a real IP address of the client, this variable is also added by a proxy server if one was used. Checks that the forwarded-for address of a request matches what’s stored in the $_SESSION data. If a different forwarded-for address is detected then the session is invalidated.
- Validate HTTP_USER_AGENT - USER_AGENT is the browser or device being used to access the website. Browser’s name and version (e.g. MSIE 5.5) and an operating system (e.g. Windows 98) is also mentioned here. Examples are: Mozilla/4.0 or MSIE 5.0. If a different user agent is detected from one request to another in a session the session is invalidated.
- Use SID on Frontend - SID is a unique code added to URLs by Magento on the frontend to ensure that same user is attached to their session data. This also allows customers to stay logged in when switching between stores. SID can conflict with full page caching however. You must also set up your Analytics package to filter the SID from URLs in order to get good page visit reporting.
- Redirect to CMS-page if Cookies are Disabled