Breaking: #88527 - Overriding custom values in User Authentication derivatives

See forge#88527


Due to some restructuring of TYPO3\CMS\Core\Authentication\AbstractUserAuthentication and its direct sub-classes TYPO3\CMS\Core\Authentication\BackendUserAuthentication (a.k.a. $BE_USER) and TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication, various settings are now directly initiated and set in the respective constructor of each PHP class.

Following this, the properties sessionTimeout, gc_time and sessionDataLifetime are set already when the constructor is called. Before this was the case when start() was called.

In addition, the property loginType must be set for any subclass on instantiation. Previously this was possible to be set just before start() was called.

The previous behavior allowed to override certain parameters to be evaluated just before start().


Setting any global variables between the constructor method and start() will have no effect, as this is transferred and evaluated at the public properties already when the constructor is called.

Subclassing AbstractUserAuthentication without setting loginType will trigger an exception on instantiation.

Affected Installations

Any TYPO3 installation where a custom UserAuthentication instantiation or sub-class is in place, and the setting order was changed between calling the constructor and the method start(), which is considered a very rare case.


Consider using a proper subclass and a custom constructor method, or set all properties properly before the constructor is called (default values of class members).