Breaking: #92997 - Authentication-related HTTP cache headers are emitted only by PSR-15 middlewares¶
In previous TYPO3 versions, when a user session was initiated or set
(e.g. due to login or cookie), class
AbstractUserAuthentication was instructed
to send HTTP headers immediately via the PHP function
These headers were sent directly to the client without having a chance to manipulate a response, or simulate this behavior via proper tests in a testing suite.
These HTTP headers for not caching a HTTP response were already attached to the PSR-7 Response when an active Backend user was available in Frontend and Backend requests, but not when a Frontend user was logged in.
The internal methods in class
AbstractUserAuthentication are removed.
These headers are now only sent via the PSR-7 Response object, and emitted at
the very end of a Request/Response lifecycle in a TYPO3 Application (for Frontend
and Backend Requests), and not via the
header() function anymore.
TYPO3 installations with custom extensions manipulating HTTP headers or the
options within class
AbstractUserAuthentication to send such headers.
If any changes regarding the PSR-7 Response headers are needed, it is recommended to build a custom PSR-15 middleware in a TYPO3 Extension.