I am happy to announce the 1.2.2 release of the Alpha Framework is now available for download. You can download the release from the Alpha website here. This is a maintenance release of Alpha, that introduces a number of security improvements including the following highlights:
The utility functions for generating and checking the two hidden form security fields, which are designed to prevent replay attacks, now use TripleDES rather than MD5 to encode the security field values.
The security.encrypt.http.fieldnames setting has been added. When set, field names are encrypted using TripleDES and your application's unique private key. So for example this:
<input type="text" name="email" id="email" value=""/> <input type="password" name="password" id="password" value=""/>
<input type="text" name="jZyulLejxMg=" id="jZyulLejxMg=" value=""/> <input type="password" name="TKd1jH07P54=" id="TKd1jH07P54=" value=""/>
The feature is designed to make it more difficult for spam bots to scrape your site for common submission forms (login, feedback, registration etc.).
A new Logger::action() method has been added, to optionally log user actions to the ActionLog table as an audit trail of actions carried out by the current user.
For more information on this release, see the full change log and expect more releases to come in 2014. The next release will focus on usability improvements.