Deprecation: #93023 - Reworked session handling

See forge#93023


As described in Breaking: #93023 - Reworked session handling the whole session handling in the TYPO3 Core was reworked by moving it out of the user authentication classes.

Therefore some properties and methods within AbstractUserAuthentication and its subclasses have been marked as deprecated:

  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->createSessionId()
  • TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->fetchUserSession()


Accessing id or calling isExistingSessionRecord() respectively getSessionId() will trigger a PHP E_USER_DEPRECATED error.

Calling createSessionId() or fetchUserSession() will not trigger a PHP E_USER_DEPRECATED error but will still be reported by the extension scanner.

Affected Installations

All TYPO3 installations with custom extensions directly accessing or calling the deprecated properties or methods.


Creating a new session is now handled by the UserSessionManager. Therefore the identifier is set internally on creation of a new session and should not longer be called directly. Use e.g. UserSessionManager->createAnonymousSession() or UserSessionManager->regenerateSession() to create a new session and then access UserSession->getIdentifier().

Use UserSessionManager->isSessionPersisted() instead of isExistingSessionRecord() to check if a session is already persisted.

Use the UserSessionManager to create a new session and then directly access the UserSession instead of calling fetchUserSession().

Use UserSession->getIdentifier() instead of getSessionId(). To access this information from an user authentication object, call $userAuthentication->getSession()->getIdentifier().