Breaking: #94243 - Send user session cookies as hash-signed JWT

See forge#94243


JSON Web Tokens (JWT) are used to transport user session identifiers in be_typo_user and fe_typo_user cookies. Using JWT's HS256 (HMAC signed based on SHA256) allows to determine whether a session cookie is valid before comparing with server-side stored session data. This enhances the overall performance a bit, since sessions cookies would be checked for every request to TYPO3's backend and frontend.

JWT handling in PHP is provided by 3rd party package firebase/php-jwt.


Session cookies be_typo_user and fe_typo_user can be pre-validated without querying the database, which can filter invalid requests and might reduce the enhances the overall performance a bit.

As a consequence session tokens are not sent "as is" anymore, but are wrapped in a corresponding JWT message, which contains the following payload:

  • identifier reflects the actual session identifier
  • time reflects the time of creating the cookie (RFC 3339 format)

Affected installations

All instances using TYPO3 v12 and having custom implementations handling be_typo_user and fe_typo_user cookie values.


Custom implementations handling be_typo_user or fe_typo_user cookies, have to use the introduced method \TYPO3\CMS\Core\Session\UserSession::getJwt() instead of existing \TYPO3\CMS\Core\Session\UserSession::getIdentifier().