I am happy to announce the 1.2.2 release of the Alpha Framework is now available for download. You can download the release from the Alpha website here. This is a maintenance release of Alpha, that introduces a number of security improvements including the following highlights:

TripleDES replaces MD5

The utility functions for generating and checking the two hidden form security fields, which are designed to prevent replay attacks, now use TripleDES rather than MD5 to encode the security field values.

Support for encrypted form field names added

The security.encrypt.http.fieldnames setting has been added. When set, field names are encrypted using TripleDES and your application's unique private key. So for example this:

<input type="text" name="email" id="email" value=""/>
<input type="password" name="password" id="password" value=""/>

Becomes:

<input type="text" name="jZyulLejxMg=" id="jZyulLejxMg=" value=""/>
<input type="password" name="TKd1jH07P54=" id="TKd1jH07P54=" value=""/>

The feature is designed to make it more difficult for spam bots to scrape your site for common submission forms (login, feedback, registration etc.).

User action audit trails

A new Logger::action() method has been added, to optionally log user actions to the ActionLog table as an audit trail of actions carried out by the current user.

Additional HTTP improvements

• Support for the X-Frame-Options header has been added via the new security.http.header.x.frame.options setting.
• The HttpOnly flag is now set on the PHPSESSID cookie set by Alpha.

For more information on this release, see the full change log and expect more releases to come in 2014. The next release will focus on usability improvements.

---

Updated 2024 : note that the above post was originally published in 2013 and is outdated, but is left here for archival purposes. I have fixed some broken links.