Enhanced Two Factor Authentication
- Support Google Authenticator, email and SMS - Support super admin account - Email address and phone number verificationMailer and Notifier
- Support various third-party mailers (for sending emails) - Support various third-party notifiers (for sending SMS) - Send text-based email/SMS notifications easily - MessageEvent, SentMessageEvent and FailedMessageEventEnhanced Advanced Security
- **User ID Security for same/parent user levels** - Allow access to records for users with same/parent user level  - **User level hierarchy** - A user level will automatically have all the permissions of sub user levels Access Control by Roles
Using access control, you can control the required permissions to visit a specific URL. - Secure your site by URL patterns - Use **roles** to grant access to specific sections of your site - Hierarchical roles (mapped to static user level hierarchy) - Allow unsecured access by anonymous users - Force HTTPS or HTTP for different URLsPassword Migration
In order to protect passwords better, it is recommended to migrate legacy passwords to the latest hash algorithms. Now you can migrate easily, if a better hash algorithm is supported on your system, the user's password will be rehashed using the newer algorithm and stored. - Enable simply by the advanced setting [Migrate password algorithm](tools.html?id=migrate-password-algorithm) - Password hashing options (including algorithms) - Transparent to usersImproved Login Attempts Tracking
Login Attempts Tracking is enhanced to use triple tracking: 1. [Maximum failed attempts](securitysetup.html?id=maximum-failed-attempts) (default is 3) for **IP address + username** ("local" limiter), 1. **5 * Maximum failed attempts** for **username** ("global" limiter). This limit protects against an attacker using multiple IP addresses to bypass the first limit. 1. **5 * Maximum failed attempts** for **IP address** ("global" limiter). This limit protects against an attacker using multiple usernames to bypass the first limit. Global and local limiters can use different policy and settings, see [Track failed attempts](securitysetup.html?id=track-failed-attempts) for details.Improved LDAP Authentication
- LDAP query without server event - Support ``search_dn``, ``search_password``, ``query_string`` and ``extra_fields`` advanced settings for searching, no need to use ``Ldap_Validated`` server event to search by yourself anymore - Get the authenticated LDAP user (e.g. to get the extra fields) by ``GetLdapUser()`` - Default **roles** for LDAP users (for access control)Impersonating User
Sometimes it's useful to be able to switch from one user to another without having to log out and log in again (for instance when you are debugging something a user sees that you can't reproduce). Administrators now can impersonate other users (from the database). When enabled, administrators can select a user from the List page of the users table to impersonate. You can also grant this special permission to some other users by code. Passwordless Login Link
In previous versions, the **Allow login by URL** advanced setting allow users to login via a URL like ``login?username=xxx&password=yyy``. However, passing password in URL is unsafe, the option is now replaced by login links. Login links are a passwordless authentication mechanism. Whenever a user wants to login, a new link is generated and sent to them (e.g. using an email). The link fully authenticates the user in the application when clicking on it. This authentication method can help you eliminate most of the customer support related to authentication (e.g. I forgot my password, how can I change or reset my password, etc.) - The authentication mechanism is also used by user activation links - Allow creating login links yourself by global function - Allow sending login link via email by administrator Soft Deleteable
The new **Soft Deleteable** behavior allows you to "soft delete" records, filtering them at SELECT time by marking them deleted as with a timestamp, but not explicitly removing them from the database. You just need to specify a nullable field that will be used to determine if the object is removed or not (``null`` means it's not removed, or a date value means it was removed). You can also set a future date so the records will be soft-deleted at expiration time. Also supported by ORM entities. Content Security Policy (CSP)
[Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. Configuring Content Security Policy involves adding the ``Content-Security-Policy`` HTTP header, the policy is a string containing the policy [directives](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives) describing your Content Security Policy. PHPMaker 2025 incldues a CSP middleware to generate the header. You can fully customize these directives by setting ``Config("CSP")``.File Storage
PHPMaker now provides filesystem abstraction which provides one interface to interact with many types of filesystems, including: - Local - AWS S3 - Google Cloud Storage - Azure Blob Storage The filesystem is mainly used for file uploads. You can now specify remote global upload folder and field-specific upload folders by [filesystem URI](filestorage.html?id=filesystem-uri) easily. Filesystem API [global functions](filestorage.html?id=filesystem-api) are also provided for simpler usage.Improved Debugging Features
Debugging PHP code can be a challenging task, but debugging is an inevitable part of the development process. You have to configure your [php.ini](https://www.php.net/manual/en/configuration.file.php) properly to report, display and log errors for debugging yourself, but PHPMaker makes **runtime** debugging a little easier with: - A quick checkbox on the [Generate](debug.html?id=enable-debugging) tab to enable all options for debugging  - [Debug Bar](debug.html?id=debug-bar) to show debugging information at the bottom of the page, including Ajax and stacked data More Server Side Validators
The new **Assert** validation type is server-side only validation designed to validate values against _constraints_. It supports many of the most commonly-needed constraints (see [Supported Constraints](https://symfony.com/doc/current/validation.html#supported-constraints)), some constraints are simple (e.g. the ``NotBlank`` constraint validates that a value is not blank) whereas others have several configuration options available (e.g. the ``Choice`` constraint ensures that the given value is one of a given set of valid choices). You can also create your own custom constraints. The validators can also be directly used in server side **Form_CustomValidate** server event.New Advanced Settings
- Auto save project on generate - Activate user link lifetime (seconds) - Use table filter for filter fields - Cache folder for routes and container - DBAL version - PostgreSQL driver - SQLite driver - [File Storage](filestorage.html?id=advanced-settings) advanced settings - [LDAP](authentication.html?id=authenticating-against-an-ldap-server) advanced settings - Soft delete time aware period (for Soft Deleteable) - Use PHPMailer (for use by default Symfony Mailer) - Use OAuth2 (enable HybridAuth for custom provider) - Mailer DSN (for third party mailer) - [Password Hashing](authentication.html?id=password-hashing-and-verification) advanced settings - Use content security policy (CSP) - Use nonce (strict CSP) - Log all export requestsMore
- Supports PHP >= 8.1.0 - Type declarations - Always UTF-8 - CSRF middleware - Save language ID for Multi-Language project - Browser tab ID for differentiating Master/Detail session variables - Searching lookup fields with multiple selection - Security events (Authentication events and others) - **Always remember me** option - **Container_Built** server event - Invoked after container is built - **Services_Config** server event - For configurating services of authentication middleware - **Ldap_Validated** server event **removed** in favour of LDAP advanced settings - Allow skipping Insert/Update/Delete in **Row_Inserting/Updating/Deleting** server events for grid actions - Maximum backup project versions increased to 100 - Doctrine ORM 3.0 and DBAL 4.0 - Use 'allDay' for new events in week/day views (Calendar reports) - Update to Dompdf 3 and support callbacks (dompdf extension) - Min/Max date field for datetime picker (DateTimePicker extension) - Segoe UI font and larger font size (UI) - Many other minor improvements