- Compatible XF Versions
- 2.3
Validates XenForo sessions and adds verification headers for Cloudflare WAF rules to distinguish bet
Session Validator for CloudflareSecure your XenForo forum with intelligent session validation
Overview
Session Validator for Cloudflare is a lightweight XenForo 2.2+ add-on that validates user sessions and adds verification headers for use with Cloudflare's Web Application Firewall (WAF) rules. This allows you to create sophisticated security rules that differentiate between authenticated forum members, guests, and bots.
Key Features
- Automatic Session Validation - Validates XenForo sessions early in the request cycle before any content is processed
- Security Headers - Adds custom HTTP headers that Cloudflare can read to identify verified users
- Flexible Configuration - Control what information is exposed via headers with verbose output options
- Lightweight Performance - Minimal impact with efficient database queries and optional caching
- Privacy Conscious - Verbose output can be disabled to limit exposed information
- Bot Protection - Easily create WAF rules to block malicious bots while allowing legitimate users
How It Works
The add-on validates XenForo sessions by checking:
- Session cookies (xf_session, xf_user, xf_csrf)
- Session activity in the database
- User authentication status
Based on validation results, it sets HTTP headers that Cloudflare can use in WAF rules:
Code:
You must log in to view
(3 lines)Use Cases
- Block Aggressive Bots - Create rules that challenge or block requests without valid sessions
- Protect Against DDoS - Rate limit non-authenticated users more aggressively
- Prevent Content Scraping - Require valid sessions for accessing certain content
- Enhanced Security Rules - Build complex WAF rules based on user authentication status
- Member-Only Areas - Enforce authentication at the edge with Cloudflare
Example Cloudflare WAF Rule
Block requests to attachments without valid session
Code:
You must log in to view
(1 lines)Configuration Options
- Enable/Disable - Turn session validation on/off
- Activity Window - Set how long users are considered active (default: 24 hours)
- Verbose Output - Include additional headers with user details (ID, username, staff status)
Technical Details
- Integrates via XenForo event listeners (app_setup, app_admin_setup, app_api_setup)
- Validates against xf_session_activity table
- Supports both regular and admin sessions
- Compatible with XenForo's built-in caching systems
- Clean uninstall with no database modifications
Requirements
- XenForo 2.2.0 or higher
- PHP 7.2 or higher
- Cloudflare account (Free, Pro, Business, or Enterprise)
- Basic knowledge of Cloudflare WAF rules
Installation
- Download and extract the add-on
- Upload to src/addons/WindowsForum/SessionValidator/
- Install via Admin CP → Add-ons
- Configure options in Admin CP → Options → Session Validator
- Create Cloudflare WAF rules using the provided headers
Support
This add-on is provided under the MIT License. Community support is available in this thread.
Changelog
Version 1.0.0 (Current)
- Initial release
- Core session validation functionality
- Configurable verbose output
- Full documentation included
Protect your forum today with intelligent session validation!
You have
