A XenForo 2.2+ add-on that validates user sessions server-side and provides verification headers for Cloudflare WAF rules, enabling advanced security configurations.
This add-on validates XenForo sessions against the actual database, not just cookies. It checks:
- Active sessions in the
xf_session_activitytable - Remember cookies against the
xf_user_remembertable - CSRF tokens for basic session validation
This provides much stronger security than simple cookie-based rules.
-
Session Validation Priority:
- Active Session: First checks if there's an active XenForo session with a logged-in user
- Remember Cookie: Validates "Stay logged in" cookies against the
xf_user_remembertable - CSRF Token: Basic session validation for guests or expired sessions
-
Cookie Handling: Uses XenForo's request object to properly handle cookie prefixes:
xf_session: The session identifierxf_user: Remember me cookie (format: "userId,rememberKey")xf_csrf: CSRF protection token (format: "timestamp,hash")
-
Database Verification:
- Uses XenForo's built-in repositories for proper validation
- Checks
xf_session_activitytable for recent user activity - Validates remember cookies against
xf_user_remembertable - Respects configured activity window timeout
-
Headers: Based on validation results, it sets HTTP headers that Cloudflare can use:
XF-Verified-User: true- User is fully authenticatedXF-Verified-Session: true- Valid session existsXF-User-ID,XF-Username, etc. - Additional user details (if verbose mode enabled)
- Upload the
WindowsForum/SessionValidatorfolder tosrc/addons/ - Install via Admin CP → Add-ons → Install/upgrade from archive or file system
- Configure options in Admin CP → Options → Session Validator
- Enable Session Validator - Master on/off switch
- Activity Window - How long to consider a session active (default: 3600 seconds/1 hour)
- Verbose Output - Include user details in headers (ID, username, permissions)
XF-Verified-User: true- Authenticated user with valid sessionXF-Verified-Session: true- Valid session existsXF-Session-Validated: [ISO 8601 timestamp]
XF-User-ID: [numeric user ID]XF-Username: [username]XF-Is-Staff: true/falseXF-Is-Admin: true/falseXF-Is-Moderator: true/false
# Block requests to protected areas without valid XenForo session
(http.request.uri.path contains "/forums/" and
not any(http.request.headers.names[*] contains "XF-Verified-Session"))
# Only allow staff to admin areas
(http.request.uri.path contains "/admin.php" and
not http.request.headers["xf-is-admin"][0] eq "true")
# Aggressive rate limiting for non-authenticated users
(not any(http.request.headers.names[*] contains "XF-Verified-User") and
rate(5m) > 100)
# Skip challenges for authenticated users
(cf.bot_management.score lt 30 and
http.request.headers["xf-verified-user"][0] eq "true")
Action: Skip remaining rules
# Require authentication for attachment downloads
(http.request.uri.path contains "/attachments/" and
not http.request.headers["xf-verified-user"][0] eq "true")
Action: Block
# Allow only authenticated users from specific countries
(not ip.geoip.country in {"US" "CA" "GB"} and
not http.request.headers["xf-verified-user"][0] eq "true")
Action: Managed Challenge
# Block rapid requests to thread pages from non-members
(http.request.uri.path matches "^/threads/.*" and
not http.request.headers["xf-verified-user"][0] eq "true" and
rate(1m) > 20)
Action: Block
- Uses XenForo's request object for proper cookie handling with prefixes
- Validates remember cookies using XenForo's built-in
UserRememberRepository - Properly parses CSRF tokens with timestamp validation
- Handles missing or malformed cookies gracefully
- Uses XenForo's existing database connection (
\XF::db()) - Leverages XenForo's repository pattern for efficient queries
- Minimal database queries - only when necessary
- Only sets headers if not already sent
- Validates remember cookies against
xf_user_remembertable - Checks session activity within configurable time window
- CSRF token timestamp validation prevents replay attacks
- Validates user permissions (staff, admin, moderator)
- Prevents header injection with proper sanitization
- Graceful fallback for database errors
- Fully aligned with XenForo's session handling implementation
- Uses same validation logic as XenForo core
- Respects XenForo's cookie configuration and prefixes
- Compatible with XenForo's remember me functionality
- User data is only included in headers when verbose output is enabled
- Headers are only visible server-side (between your server and Cloudflare)
- No sensitive data (passwords, emails, IPs) is ever included
- You control what data is exposed via the verbose output option
- Check if the add-on is enabled in options
- Verify cookies are being sent by the browser
- Check error logs for database connection issues
- Ensure headers aren't already sent by other code
- Increase the activity window setting
- Check if users have cookies enabled
- Verify your Cloudflare rules syntax
- Check time sync between server and database
- Minimal - adds one database query per request
- Use activity window to balance security vs performance
- Consider caching rules in Cloudflare Page Rules
- XenForo 2.2.0 or higher
- PHP 7.2 or higher
- Standard XenForo database access
- Headers must not be already sent
MIT License - see LICENSE.md
Developed by WindowsForum for the XenForo community, with insights from the original standalone validator implementation.