Breaking: #92801 - Removed "Failed Login" functionality from User Authentication object

See forge#92801


The functionality to send an email to a defined sender was previously hard-coded into the API class AbstractUserAuthentication and activated specifically for Backend Users via the option $GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'].

With some custom implementation it was also possible to use a hook to enable this for frontend users, but the API was not clean.

The backend-user specific logic is now extracted into a hook, so it is possible to replace this functionality with a custom notification API.

For this reason, the following public properties and methods within AbstractUserAuthentication and its subclasses have been removed:

  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->warningEmail
  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->warningPeriod
  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->warningMax
  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->checkLogFailures()


Using one of the public properties in custom PHP will trigger a PHP Warning.

Calling the public PHP method will result in a fatal PHP error.

Affected Installations

TYPO3 installations with third-party extensions and custom PHP code that is related to failed login notifications, and rely on the existing login notification code.


As the properties were public, they made it possible to override the warningMax / warningPeriod values via hooks and middlewares in PHP.

Instead it is recommended to override this functionality via a hook the same way the new hook in EXT:backend is registered within PHP.