Breaking: #93023 - Reworked session handling
See forge#93023
Description
The overall session handling within TYPO3 Core has been overhauled. This was done to separate the actual User object, the Authentication process and the session handling.
The main result of this refactoring is the user authentication objects such as
Backend
and Frontend
do not longer contain the session data directly. Instead, this is now encapsulated
in a User
object which is handled by the new
User
.
Furthermore, the user authentication objects internally do not longer know about
a specific session backend implementation, since this is also wrapped by the
User
. This also means it is not possible to create sessions
outside of the new session manager anymore.
For this purpose, there are several changes within the user authentication classes which are described below.
The array Abstract
previously contained the logged-in
user record (from be_users / fe_users database table) AND the session record
prefixed via ses_*
array properties. This has been removed, to separate
the functionality. Instead, all session properties are placed inside the
User
object, accessible via e.g. $GLOBALS
.
The following public properties within Abstract
and
its subclasses have been removed:
TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->id TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->hash_ length TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->session Timeout TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->gc_ time TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->gc_ probability TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->new Session ID
The following public methods within Abstract
and its
subclasses have been removed:
TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->get New Session Record () TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->get Session Id () TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->is Existing Session Record ()
The following public property within Abstract
has
changed their visibility to protected
:
TYPO3\
CMS\ Core\ Authentication\ Abstract User Authentication->lifetime
The following public methods within Abstract
and its
subclasses have changed their return type:
TYPO3\
now returnsCMS\ Frontend\ Authentication\ Frontend User Authentication->create User Session () \TYPO3\
and the first parameterCMS\ Core\ Session\ User Session $tempuser
is now type-hintedarray
.
The following public properties within Frontend
have
been removed:
TYPO3\
CMS\ Frontend\ Authentication\ Frontend User Authentication->ses Data_ change
The following database fields have been removed:
be_
sessions. ses_ backuserid fe_
sessions. ses_ anonymous
Impact
Accessing a dropped property or calling a dropped method will raise a fatal PHP error.
Accessing a property whose visibility was changed to protected
will also
raise a fatal PHP error if no deprecation functionality is in place. See
Deprecation: #93023 - Reworked session handling for more information.
Calling a method whose parameter signature changed with a wrong type will raise a PHP type error.
Directly querying a dropped database field will raise a doctrine dbal exception.
Affected Installations
All TYPO3 installations with custom extensions directly accessing or calling the changed properties or methods.
Migration
The session
property is now set internally to the value of the
global configuration (int)$GLOBALS
.
This value can also be set dynamically in e.g. a middleware if needed. Because
it is only needed for User Session objects, it is now resolved within
the User
object.
gc_
is still set to 86400
by default and will be overwritten
with the value from session
(see above) if greater than 0
.
Since it's very unlikely that gc_
will be changed in
custom code there is no direct way to set a custom value anymore. It's now
directly set to 1
in the consuming method
User
. If your custom code however rely
on another value you can call User
in your code by providing a custom value as first argument for
$garbage
.
The property new
is now available in User
.
Use the User
as a
replacement for get
to migrate an anonymous session
to a user-bound session.
If you directly call create
in your custom code make sure
to pass an array
as argument for $tempuser
and to handle the
returned User
object accordingly.
Use User
as replacement for
Frontend
.
The be_
field was migrated into the session data
and is now available inside User
, which can be accessed
using get
or get
. Since this value is only present in
"switch-user" sessions, it's very unlikely that custom code is directly
accessing it. If you however perform database queries using this field,
then they have to be adjusted accordingly.
The fe_
field is not needed anymore since this
information can also be obtained using the fe_
field.
If it's lower or equals 0
the session is an anonymous one. If you perform
database queries using this field, change it to use ses_
instead.
If a session is anonymous can furthermore be checked using
User
.