{"id":48015908,"url":"https://github.com/faratech/xenforo-session-validator","last_synced_at":"2026-04-04T13:43:42.022Z","repository":{"id":297107618,"uuid":"994337175","full_name":"faratech/xenforo-session-validator","owner":"faratech","description":"Validates XenForo sessions and adds verification headers for Cloudflare WAF rules to distinguish between members, guests, and bots","archived":false,"fork":false,"pushed_at":"2026-02-16T23:29:19.000Z","size":118,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-17T05:31:25.090Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/faratech.png","metadata":{"files":{"readme":"README-ADDON.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-01T18:13:19.000Z","updated_at":"2026-02-16T23:29:22.000Z","dependencies_parsed_at":"2026-02-17T01:03:34.880Z","dependency_job_id":null,"html_url":"https://github.com/faratech/xenforo-session-validator","commit_stats":null,"previous_names":["faratech/xenforo-session-validator"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/faratech/xenforo-session-validator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faratech%2Fxenforo-session-validator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faratech%2Fxenforo-session-validator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faratech%2Fxenforo-session-validator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faratech%2Fxenforo-session-validator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/faratech","download_url":"https://codeload.github.com/faratech/xenforo-session-validator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/faratech%2Fxenforo-session-validator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31402276,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-04T13:43:41.375Z","updated_at":"2026-04-04T13:43:42.011Z","avatar_url":"https://github.com/faratech.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Session Validator for Cloudflare\n\nA XenForo 2.2+ add-on that validates user sessions and adds verification headers for use with Cloudflare's Web Application Firewall (WAF) rules. This allows you to create security rules that treat authenticated forum members differently from guests or bots.\n\n## Features\n\n- **Automatic Session Validation**: Validates XenForo sessions early in the request cycle\n- **Security Headers**: Adds custom headers that Cloudflare can read to identify verified users\n- **Flexible Configuration**: Control what information is exposed via headers\n- **Lightweight**: Minimal performance impact with efficient database queries\n- **Privacy Conscious**: Verbose output can be disabled to limit exposed information\n\n## Requirements\n\n- XenForo 2.2.0 or higher\n- PHP 7.2 or higher\n- Cloudflare (Free, Pro, Business, or Enterprise plan)\n\n## Installation\n\n1. Download the add-on package\n2. Extract the contents to `src/addons/WindowsForum/SessionValidator/`\n3. In your XenForo Admin Control Panel, go to **Add-ons**\n4. Click **Install/upgrade from archive** or **Install from file system**\n5. Select the Session Validator add-on and click **Install**\n\n## Configuration\n\n### XenForo Settings\n\nNavigate to **Admin CP → Options → Session Validator** to configure:\n\n- **Enable Session Validator**: Turn the add-on on/off\n- **Activity Window**: How long (in seconds) a user is considered active (default: 24 hours)\n- **Verbose Output**: Whether to include detailed user information in headers\n\n### Headers Explained\n\nThe add-on sets the following HTTP headers that Cloudflare can read:\n\n#### Always Set (when validated):\n- `XF-Verified-User: true` - User has valid session with all required cookies\n- `XF-Verified-Session: true` - Valid session exists\n- `XF-Session-Validated: [timestamp]` - When validation occurred\n\n#### With Verbose Output Enabled:\n- `XF-User-ID: [user_id]` - The user's numeric ID\n- `XF-Username: [username]` - The user's username\n- `XF-Is-Staff: true/false` - Whether user is staff\n- `XF-Is-Admin: true/false` - Whether user is admin\n- `XF-Is-Moderator: true/false` - Whether user is moderator\n\n## Cloudflare Configuration\n\n### Creating WAF Rules\n\n1. Log into your Cloudflare dashboard\n2. Select your domain\n3. Go to **Security → WAF → Custom rules**\n4. Click **Create rule**\n\n### Example Rules\n\n#### Skip Security Checks for Verified Users\n```\nRule name: Allow Verified Forum Users\nExpression: (http.request.headers[\"xf-verified-user\"][0] eq \"true\")\nAction: Skip → All remaining custom rules\n```\n\n#### Rate Limit Non-Members More Aggressively\n```\nRule name: Strict Rate Limit for Guests\nExpression: (not http.request.headers[\"xf-verified-session\"][0] eq \"true\") and (http.request.uri.path contains \"/forums/\")\nAction: Block\n```\n\n#### Allow Staff Bypass During Attacks\n```\nRule name: Staff Always Allowed\nExpression: (http.request.headers[\"xf-is-staff\"][0] eq \"true\")\nAction: Skip → All security measures\n```\n\n#### Block Specific Actions for Non-Members\n```\nRule name: Members Only Actions\nExpression: (http.request.uri.path contains \"/post-thread\" or http.request.uri.path contains \"/post-reply\") and (not http.request.headers[\"xf-verified-user\"][0] eq \"true\")\nAction: Block\n```\n\n### Important Cloudflare Settings\n\n1. **Page Rules**: Ensure \"Cache Level: Bypass\" for paths like `/admin.php`, `/login/`, etc.\n2. **Configuration Rules**: Set \"Cache Eligibility: Bypass cache\" when cookie `xf_user` exists\n3. **Security Level**: Can be set higher since members won't see challenges\n\n## How It Works\n\n1. The add-on runs very early in XenForo's request cycle\n2. It checks for XenForo session cookies (`xf_session`, `xf_user`, `xf_csrf`)\n3. When all three cookies are present, it validates against the database\n4. If validation succeeds, it sets HTTP headers before any output\n5. Cloudflare reads these headers and applies your custom rules\n\n## Security Considerations\n\n- **Verbose Output**: Only enable if you need the extra information. User IDs and usernames in headers could be logged by proxies.\n- **HTTPS Required**: Always use HTTPS to prevent header spoofing\n- **Rule Order**: Place skip rules before block rules in Cloudflare\n- **Cache Headers**: The validator doesn't interfere with XenForo's cache headers\n\n## Troubleshooting\n\n### Headers Not Appearing\n\n1. Check if the add-on is enabled in XenForo options\n2. Verify you're logged into the forum\n3. Clear Cloudflare cache: **Caching → Configuration → Purge Everything**\n4. Check cookies are being sent: Browser DevTools → Network → Request Headers\n\n### Validation Not Working\n\n- Ensure all three cookies are present: `xf_session`, `xf_user`, `xf_csrf`\n- Check user has activity within the configured window (default 24 hours)\n- Verify database connectivity in XenForo\n\n### Testing Headers\n\n```bash\n# Test with curl (replace with your actual cookies)\ncurl -I -H \"Cookie: xf_session=YOUR_SESSION; xf_user=YOUR_USER; xf_csrf=YOUR_CSRF\" https://yourdomain.com/\n\n# Look for XF-* headers in response\n```\n\n## Performance\n\n- Adds one database query per request (cached by XenForo)\n- Headers are set before any output processing\n- No impact on page rendering time\n- Works with XenForo's built-in caching\n\n## Privacy Policy\n\nIf you enable verbose output, consider updating your privacy policy to mention that user identifiers may be included in HTTP headers for security purposes.\n\n## Support\n\n- **Bug Reports**: Please include XenForo version, PHP version, and any error messages\n- **Feature Requests**: We welcome suggestions for improvement\n- **Cloudflare Help**: See [Cloudflare's WAF documentation](https://developers.cloudflare.com/waf/custom-rules/)\n\n## License\n\nThis add-on is released under the MIT License. See LICENSE file for details.\n\n## Credits\n\nDeveloped by WindowsForum for the XenForo community. Based on proven session validation techniques.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffaratech%2Fxenforo-session-validator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffaratech%2Fxenforo-session-validator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffaratech%2Fxenforo-session-validator/lists"}