What's New in SMF 2.1 - Security

Started by Trekkie101, September 10, 2012, 02:46:21 AM

Previous topic - Next topic


Last week we brought to you the first public alpha of SMF 2.1 in a blog post talking about current development. Over the coming weeks there will be a few blogs on some of the new features in SMF 2.1. Today I present our security enhancements.

We take security very seriously here at Simple Machines and to help further improve SMF 2.1 we have added the following features to strengthen our default guard.

IPv6 Support
Ban and post management now work by default with IPv6 and IPv4 without you needing to do anything. Enhancing your ability to block people from using your forum.

Moderation Sessions
Previously if you were logged in as an Administrator before completing any administration tasks you would be presented with a dialog asking you to re-enter your password - this allowed SMF to ensure that if you had forgot to logout elsewhere no-one could damage the settings of your forum. We realise that more often than not, there are more moderators on a forum than administrators and with a moderation account a malicious person could delete or harm many of your boards posts. To stop this, we have enabled moderation sessions too, so now before completing a moderation action your moderators will have to re-enter their password. Don't worry though its only once per active browsing session.

End Administration Session
In the same scope as above to stop any malicious activity if someone has access to your administration centre you can now select from the main menu in the administration centre "Admin End Session" and have them kicked right back out.

If your logged into SMF, and even if you've validated your session by re-entering your password, a malicious person could trick or fool you into clicking a link that would harm your forum by carrying out a given action (in some rare circumstances). To further protect SMF 2.1 there is now one use tokens in play for every page. You won't notice them and they won't harm the running of your forum but they will essentially stop anything off the page from interacting with anything on the page that you don't manually touch.

HTTP only cookies
This setting can be enabled to stop any script from touching your cookies and data files needed for SMF to run, essentially this will stop things like JavaScript from reading the cookies, gaining any access you have and carrying out actions on your behalf. This helps to protect from the rising threat of cross site scripting attacks where one site tries to get you to poison your own.

Open Development
SMF is Open Source software released under the BSD license, you can view our current progress and see the work on the features listed above on our github account (our main source of development) where you can try out the latest code and submit changes or fixes of your own to the codebase.



Adish - (F.L.A.M.E.R)

Awesome! Security is extremely important and SMF always tries to get on top of the issues before others get into it. :)


Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Joseph H

Thats great.... And it a big step ahead... Cant wait
Cheap webhosting +24 hours


Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life



Interesting...  Sessions sometimes give me a hard time.  I look forward to a new variation.

I have been playing with tokens.  Worked fine in a single php file but when I broke it into a source and template things went south.  Then my real job got into the way... preventing me from discovering why the tokens verification was failing between some script files.   Sounds like this new version will assist me to get back on track...  Sweet!!!

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.



For security, is there a chance you can add a slider for human verification? Basically, a "Are You Human? then slide a slider from left to right(works with touch devices).


Not recommended.

The methodology of such would not be difficult to break for bots. All a bot has to do is identify the form value that relates to the slider, and make sure that its value is empty on submission. Given that SMF would then be a 'standard installation', it would be worth a bot author taking the time to identify the routine that generates this.