Breaking: #97305 - Introduce CSRF-like login token
See forge#97305
Description
\TYPO3\
requires a
CSRF-like request-token to continue with the authentication process and to
create an actual server-side user session.
The request-token has to be submitted by one of these ways:
- HTTP body, e.g. in
<form>
via parameter__
request_ token - HTTP header, e.g. in XHR via header
X-
TYPO3- Request Token
Impact
Core user authentication is protected by a CSRF-like request-token, to mitigate Login CSRF.
Custom implementations for login templates or client-side authentication handling have to be adjusted to submit the required request-token.
Affected installations
Sites having custom implementations for login templates or client-side authentication.
Migration
The \TYPO3\
signed with a \TYPO3\
needs to be sent as JSON Web Token (JWT) to the server-side application handling of
the Core user authentication process. The scope needs to be core/
or core/
- depending on whether authentication is applied in
the website's backend or frontend context.
Example for overridden backend login HTML template (ext:backend
)
--- a/typo3/sysext/backend/Resources/Private/Layouts/Login.html
+++ b/typo3/sysext/backend/Resources/Private/Layouts/Login.html
<input type="hidden" name="redirect_url" value="{redirectUrl}" />
<input type="hidden" name="loginRefresh" value="{loginRefresh}" />
+<input type="hidden" name="{requestTokenName}" value="{requestTokenValue}" />
Example for overridden frontend login HTML template (ext:felogin
)
--- a/typo3/sysext/felogin/Resources/Private/Templates/Login/Login.html
+++ b/typo3/sysext/felogin/Resources/Private/Templates/Login/Login.html
-<f:form target="_top" fieldNamePrefix="" action="login">
+<f:form target="_top" fieldNamePrefix="" action="login" requestToken="{requestToken}">
More details are explained in corresponding documentation on Feature #87616: Introduce CSRF-like request-token handling.