Breaking: #88458 - Removed Frontend Track User "ftu" functionality

See forge#88458


The "ftu" feature, used to transfer sessions via GET parameter, has been removed.

The implementation and the functionality exposed some security concerns, if enabled via TypoScript config.ftu as sessions could have been taken over by link sharing, although this was mitigated in the past by a security change.


The following public properties now trigger PHP E_WARNING when accessed:

  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->get_name
  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->getFallBack
  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->getMethodEnabled
  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->get_URL_ID
  • TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController->getMethodUrlIdToken

The TypoScript setting config.ftu has no effect anymore.

The global configuration setting $GLOBALS['TYPO3_CONF_VARS']['FE']['get_url_id_token'] is not set anymore.

Affected Installations

Any TYPO3 installation using the config.ftu functionality.


Remove any usages to the properties or options, and use a custom session handling without handing over Session IDs in plaintext via GET parameters. Suggested alternatives for instance are JWT payloads or OTP links for starting a session.

For cookie-less session handling, a custom functionality depending on the use-case has to be implemented as TYPO3 extension.