Breaking: #88458 - Removed Frontend Track User "ftu" functionality
See forge#88458
Description
The "ftu" feature, used to transfer sessions via GET parameter, has been removed.
The implementation and the functionality exposed some security concerns, if enabled via TypoScript
config. as sessions could have been taken over by link sharing, although this was mitigated
in the past by a security change.
Impact
The following public properties now trigger PHP
E_ when accessed:
TYPO3\CMS\ Core\ Authentication\ Abstract User Authentication->get_ name TYPO3\CMS\ Core\ Authentication\ Abstract User Authentication->get Fall Back TYPO3\CMS\ Core\ Authentication\ Abstract User Authentication->get Method Enabled TYPO3\CMS\ Core\ Authentication\ Abstract User Authentication->get_ URL_ ID TYPO3\CMS\ Frontend\ Controller\ Typo Script Frontend Controller->get Method Url Id Token
The TypoScript setting
config. has no effect anymore.
The global configuration setting
$GLOBALS is not
set anymore.
Affected Installations
Any TYPO3 installation using the
config. functionality.
Migration
Remove any usages to the properties or options, and use a custom session handling without handing over Session IDs in plaintext via GET parameters. Suggested alternatives for instance are JWT payloads or OTP links for starting a session.
For cookie-less session handling, a custom functionality depending on the use-case has to be implemented as TYPO3 extension.