Breaking: #92807 - Removed feature for keeping session data on frontend user logout¶

Description¶

When a frontend user logged out, the session data was kept and transferred to an anonymous session when the feature flag security.frontend.keepSessionDataOnLogout was enabled.

Since this functionality is insecure, and was only introduced to keep backwards-compatibility in a security release, the feature has been removed completely.

Impact¶

When logging out as a frontend user, all session data is now actively removed and not kept as a new anonymous session.

Affected Installations¶

TYPO3 installations having this feature enabled and actively using this feature, e.g. in cart functionality.

Migration¶

It is recommended to build the web application in a way that the session data is not needed, and instead a frontend user should know that their session data is lost upon log out.

Make sure to bind user-specific data either to the frontend user itself, or re-implement this functionality yourself by using a logoff() hook for transferring sessions to anonymous sessions.