Breaking: #94243 - Send user session cookies as hash-signed JWT
See forge#94243
Description
JSON Web Tokens (JWT) are used to transport user session
identifiers in be_
and fe_
cookies. Using JWT's HS256
(HMAC signed based on SHA256) allows to determine whether a session cookie is
valid before comparing with server-side stored session data. This enhances the
overall performance a bit, since sessions cookies would be checked for every
request to TYPO3's backend and frontend.
JWT handling in PHP is provided by 3rd party package firebase/php-jwt.
Impact
Session cookies be_
and fe_
can be pre-validated without
querying the database, which can filter invalid requests and might reduce the
enhances the overall performance a bit.
As a consequence session tokens are not sent "as is" anymore, but are wrapped in a corresponding JWT message, which contains the following payload:
identifier
reflects the actual session identifiertime
reflects the time of creating the cookie (RFC 3339 format)
Affected installations
All instances using TYPO3 v12 and having custom implementations handling be_
and fe_
cookie values.
Migration
Custom implementations handling be_
or fe_
cookies,
have to use the introduced method
\TYPO3\
instead of existing
\TYPO3\
.