Deprecation: #100173 - Various methods and properties in UserAuthentication classes now internal

See forge#100173


Various methods and properties within the main classes regarding frontend user and backend user ($GLOBALS[BE_USER]) authentication handling have been either marked as internal or have been deprecated for usage outside of the classes.

This is due to the further refactorings and decoupling work, as subclasses of AbstractUserAuthentication deal with many more functionality nowadays, and therefore have been moved to service classes. The tight coupling of these classes, for example, the database fields, or login form field names are now marked as internal, as these properties should not be modified from the outside scope.

Instead, functionality like PSR-14 events or Authentication Services should influence the authentication and authorization workflow.

The following properties and methods are now marked as internal in all user authentication related classes (extending \TYPO3\CMS\Core\Authentication\AbstractUserAuthentication):

  • lastLogin_column
  • formfield_uname
  • formfield_uident
  • formfield_status
  • loginSessionStarted
  • dontSetCookie
  • isSetSessionCookie()
  • isRefreshTimeBasedCookie()
  • removeCookie()
  • isCookieSet()
  • unpack_uc()
  • appendCookieToResponse()

Additionally, the following properties of the \TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication implementation are marked as internal:

  • formfield_permanent
  • is_permanent


The affected properties and methods have been marked as @internal and set to protected. With an additional trait, it is still possible to access them in TYPO3 v12. In case third-party extensions call them, a PHP deprecation warning is thrown.

Affected installations

TYPO3 installations with custom extensions accessing the properties or methods. The extension scanner reports corresponding places.


Depending on the specific requirements, it is recommended to use PSR-14 events or authentication services to modify behaviour of the authentication classes.