felogin
typo3/cms-felogin
12.4
en
TYPO3 contributors
This document is published under the Open Content License.
Tue, 08 Jul 2025 09:21:10 +0000
This extension provides a template-based plugin that allows website users to log in to the TYPO3 frontend.
Table of Contents:
The Frontend Login for Website Users (felogin) extension is a general purpose extension for frontend logins. In addition to the actual login box, it includes several methods for redirecting after login/logout and includes forgot password functionality.
The plugin's general settings
Configuration of the redirection options
Hint
Be sure that in the overall Access tab under User Group Access rights the content
element and even the page itself is not set to Hide at login, otherwise the redirect
to the given page will not work.
Configuration of the various messages (screenshot shows not all options)
This extension is part of the TYPO3 Core, but not installed by default.
Table of contents
Check whether you are already using the extension with:
composer show | grep feloginThis should either give you no result or something similar to:
typo3/cms-felogin v12.4.11If it is not installed yet, use the composer require command to install
the extension:
composer require typo3/cms-feloginThe given version depends on the version of the TYPO3 Core you are using.
In an installation without Composer, the extension is already shipped but might not be activated yet. Activate it as follows:
Extension manager showing Frontend Login extension
The felogin extension requires no special configuration. All options are available in the plugin's FlexForm as shown in the Screenshots.
The felogin plugin is available through the Content Wizard as Login Form:
The Login Form plugin in the content element wizard
In order for Website Users to be able to log in, the felogin plugin must know where the records are stored. There are two possibilities for setting this storage folder:
plugin.tx_felogin_login.settings.pages = xxxA very common issue is, that the felogin plugin is set to Access: Hide at login. After the core has processed the login request, the page will be rendered without the felogin plugin. If there are redirect options active they will not be executed, simply because the felogin plugin is hidden.
Of course setting the felogin plugin to Hide at login and having redirect options together doesn't really makes sense.
In order to properly use the felogin plugin and its advanced capabilities (such as redirect options) it is important to understand the mechanism of frontend user login in TYPO3 CMS.
If there is no frontend user logged in, the login form will be shown.
If there is a logged in frontend user, the logout form is shown.
If the forgot password link was used, the form to reset a password based on username or email address will be shown.
If the password reset link was followed from an email, the form to change the password will be shown.
After the form is submitted the TYPO3 CMS authentication services will validate the login credentials. After this process felogin will handle the rest. This means that the felogin plugin must be visible for the user who has logged in.
Felogin will then check any redirect options and generate the appropriate content.
Caution
The following redirect options are supported.
Within a Website usergroup record, you can specify a page where usergroup members will be redirected after login.
This is identical to the redirection option for "defined by Usergroup Record" but applies to a single website user instead of an entire user group.
This redirect page is set either in TypoScript
(
plugin.) or in the
FlexForm of the felogin plugin.
Defines the redirect page after a user has logged out. Again, it can be set in TypoScript or in the felogin plugin's FlexForm.
Defines the redirect page after a login error occurs. Can be set in TypoScript or in the felogin plugin's FlexForm.
Redirect the visitor based on the GET/POST parameters redirect_.
If the TypoScript configuration
config. is set, the GET/POST
parameter redirect_ is used.
Example url:
https://example.org/index.php?id=12&redirect_url=https%3A%2F%2Fexample%2Eorg%2Fdestiny%2FThe referrer page is used for the redirect. This basically means that the user is sent back to the page he originally came from.
Same as Defined by Referrer, except that only the domains listed in
plugin. are allowed. If someone is sent to the
login page coming from a domain which is not listed, the redirect will
not happen.
By using the option Use First Supported Mode from Selection you can define several fallback methods.
Note
It is only possible to use domains, which are known to TYPO3. This means,
that domains must be configured as base in site settings for websites
in the current TYPO3 instance.
All configuration options are available in the FlexForm or TypoScript, with the FlexForm settings taking precedence.
| Name | Type | Default |
|---|---|---|
| bool | ||
| bool | ||
| bool | ||
| string | {$styles.content.loginform.pid} | |
| int | {$styles.content.loginform.recursive} | |
| string | {$styles.content.loginform.redirectMode} | |
| bool | {$styles.content.loginform.redirectFirstMethod} | |
| integer | {$styles.content.loginform.redirectPageLogin} | |
| integer | {$styles.content.loginform.redirectPageLoginError} | |
| integer | {$styles.content.loginform.redirectPageLogout} | |
| bool | {$styles.content.loginform.redirectDisable} | |
| date-conf | Y-m-d H:i | |
| string | ||
| string | ||
| string | {$styles.content.loginform.email.templateName} | |
| array | {$styles.content.loginform.email.layoutRootPath} | |
| array | {$styles.content.loginform.email.templateRootPaths} | |
| array | {$styles.content.loginform.email.partialRootPaths} | |
| bool | {$styles.content.loginform.exposeNonexistentUserInForgotPasswordDialog} | |
| integer | {$styles.content.loginform.forgotLinkHashValidTime} | |
| string | ||
| array |
If set, the section in the template to display the link to the forgot password dialogue is visible.
Important
Be aware that having this option disabled also prevents the plugin to display the forgot password form. For instance if you access the link directly.
If set, the section in the template to display the option to remember the login (with a cookie) is visible.
If set, the logout form will be displayed immediately after successful login. .. note:: Setting this option will disable the redirect options! Instead of redirecting the plugin will show the logout form.
Define the User Storage Page with the Website User Records, using a comma separated list or single value
If set, also any subfolders of the User Storage Page will be used at configured recursive levels
Comma separated list of redirect modes. Possible values:
groupLogin, userLogin, login, getpost, referer,
refererDomains, loginError, logout
See section on redirect modes for details.
If set the first method from redirectMode which is possible will be used
Page id to redirect to after Login
Page id to redirect to after Login Error
Page id to redirect to after Logout
If set redirecting is disabled
Format for the link is valid until message (forgot password email)
Email address used as sender of the change password emails
Name used as sender of the change password emails
Template name for emails. Plaintext emails get the .txt file extension.
Path to layout directory used for emails
Path to template directory used for emails
Path to partial directory used for emails
If set and the user account cannot be found in the forgot password dialogue, an error message will be shown that the account could not be found. .. warning:: Enabling this will disclose information about whether an email address is actually used for a frontend user account! Visitors can find out if a user is known as frontend user.
Time in hours how long the link for forgot password is valid
Comma separated list of domains which are allowed for the referrer redirect mode
Deprecated since version 12.3
The TypoScript does not include validators any more by default. Instead, the extension uses global password policies to ensure password requirements are fulfilled.
Array of validators to use for the new user password.
Special password requirements configured using custom validators in TypoScript must be migrated to a custom password policy validator as described in password policies.
Before creating a custom password policy validator, it is recommended to
evaluate, if the
Core used in the default
password policy suits current password requirements.
The extension uses several GET and POST parameters to define or override redirect settings.
1, no redirect will be processed after a successful
login.The following PSR-14 events are available to extend the extension:
Notification before a redirect is made. More details
A notification when a log in has successfully arrived at the plugin, via the view and the controller, multiple information can be overridden in event listeners. More details
A notification if something went wrong while trying to log in a user. More details
A notification when a log out has successfully arrived at the plugin, via the view and the controller, multiple information can be overridden in event listeners. More details
Allows to inject custom variables into the login form. More details
Event that contains information about the password which was set, and is about to be stored in the database. Allows to mark the password as invalid. More details
Event that contains the email to be sent to the user when they request a new password. More details
In this section some common situations are described:
A common situation is that visitors who go to a page with access restrictions should go to a login page first and after logging in should be send back to the page they originally requested.
Assume we have a login page with id 2.
Using TypoScript we can still display links to access restricted pages and send visitors to the login page:
config {
typolinkLinkAccessRestrictedPages = 2
typolinkLinkAccessRestrictedPages_addParams = &return_url=###RETURN_URL###
}On the login page the login form must be configured to redirect to the original page:
plugin.tx_felogin_login.settings.redirectMode = getpost(This option can also be set in the flexform configuration of the felogin content element)
If visitors will directly enter the URL of an access restricted page they will be sent to the first page in the rootline to which they have access. Sending those direct visits to a login page is not a job of the felogin plugin, but requires a custom page-not-found handler. In this sense, we refer to Custom error handler implementation for 403 redirects.
Again TypoScript will help you out. The page with the login form has id=2:
10 = TEXT
10 {
value = Login
typolink.parameter = 2
}
[frontend.user.isLoggedIn]
10.value = Logout
10.typolink.additionalParams = &logintype=logout
[end]Of course there can be solutions with
HMENU items, etc.
This section explains how to utilize a custom error handler to catch 403 restricted page errors and allow to forward to a login form, and then redirect back to the originating page after successful login.
You need the following site settings in the error handling
Error Handling tab of Site Configuration module
There you add the custom 403 error handler and configure the error handler, you create in the following steps.
See also
Look up the page ID where a login form (like with EXT:felogin) is placed
This page ID is needed in the following step, so that the error handler will know, where to forward an unauthenticated user to, so that a login can be performed.
Ideally, this should be done by configuring a page ID via the site settings, and referring back to a named ID. See PHP API: accessing site configuration for more information. For reduced complexity, this example uses a hard-coded page ID.
Create a new error handler Redirect
Create a PHP error handler class like the following in a custom extension, like your own sitepackage:
<?php
declare(strict_types=1);
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
namespace MyVendor\MySitePackage\Error\PageErrorHandler;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use TYPO3\CMS\Core\Context\Context;
use TYPO3\CMS\Core\Controller\ErrorPageController;
use TYPO3\CMS\Core\Error\PageErrorHandler\PageErrorHandlerInterface;
use TYPO3\CMS\Core\Http\HtmlResponse;
use TYPO3\CMS\Core\Http\RedirectResponse;
use TYPO3\CMS\Core\LinkHandling\LinkService;
use TYPO3\CMS\Core\Site\Entity\Site;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Frontend\Page\PageAccessFailureReasons;
/**
* An error handler that redirects to a configured page, where the login
* process is handled. Passes a configurable URL parameter (`return_url` or
* `redirect_url`) to the target page.
*/
final class RedirectLoginErrorHandler implements PageErrorHandlerInterface
{
private const PAGE_ID_LOGIN_FORM = 656;
private readonly int $loginRedirectPid;
private readonly string $loginRedirectParameter;
private readonly Context $context;
private readonly LinkService $linkService;
private readonly ErrorPageController $errorPageController;
public function __construct(private readonly int $statusCode)
{
$configuration = [
// TODO: Replace with $siteSettings[...] or something else
'loginRedirectTarget' => 't3://page?uid=' . self::PAGE_ID_LOGIN_FORM,
'loginRedirectParameter' => 'return_url',
];
$this->context = GeneralUtility::makeInstance(Context::class);
$this->linkService = GeneralUtility::makeInstance(LinkService::class);
$this->errorPageController = GeneralUtility::makeInstance(ErrorPageController::class);
$urlParams = $this->linkService->resolve($configuration['loginRedirectTarget']);
$this->loginRedirectPid = (int)($urlParams['pageuid'] ?? 0);
$this->loginRedirectParameter = $configuration['loginRedirectParameter'];
}
public function handlePageError(
ServerRequestInterface $request,
string $message,
array $reasons = []
): ResponseInterface {
$this->checkHandlerConfiguration();
if ($this->shouldHandleRequest($reasons)) {
return $this->handleLoginRedirect($request);
}
// Show general error message with a 403 HTTP status code
return $this->getGenericAccessDeniedResponse($message);
}
private function getGenericAccessDeniedResponse(string $reason): ResponseInterface
{
$reason = $reason ? ' Reason: ' . $reason : '';
$content = $this->errorPageController->errorAction(
'Page Not Found',
sprintf('The page did not exist or was inaccessible.%s', $reason),
0,
$this->statusCode,
);
return new HtmlResponse($content, $this->statusCode);
}
private function handleLoginRedirect(ServerRequestInterface $request): ResponseInterface
{
if ($this->isLoggedIn()) {
return $this->getGenericAccessDeniedResponse(
'The requested page was not accessible with the provided credentials'
);
}
/** @var Site $site */
$site = $request->getAttribute('site');
$language = $request->getAttribute('language');
$loginUrl = $site->getRouter()->generateUri(
$this->loginRedirectPid,
[
'_language' => $language,
$this->loginRedirectParameter => (string)$request->getUri(),
]
);
return new RedirectResponse($loginUrl);
}
private function shouldHandleRequest(array $reasons): bool
{
if (!isset($reasons['code'])) {
return false;
}
$accessDeniedReasons = [
PageAccessFailureReasons::ACCESS_DENIED_PAGE_NOT_RESOLVED,
PageAccessFailureReasons::ACCESS_DENIED_SUBSECTION_NOT_RESOLVED,
];
$isAccessDenied = in_array($reasons['code'], $accessDeniedReasons, true);
return $isAccessDenied || $this->isSimulatedBackendGroup();
}
private function isLoggedIn(): bool
{
if ($this->context->getPropertyFromAspect('frontend.user', 'isLoggedIn')) {
return true;
}
return $this->isSimulatedBackendGroup();
}
protected function isSimulatedBackendGroup(): bool
{
if (!$this->context->getPropertyFromAspect('backend.user', 'isLoggedIn')) {
return false;
}
// look for special "any group"
$groups = $this->context->getPropertyFromAspect('frontend.user', 'groupIds');
return $groups[1] === -2;
}
private function checkHandlerConfiguration(): void
{
if ($this->loginRedirectPid === 0) {
throw new \RuntimeException('No loginRedirectTarget configured for LoginRedirect errorhandler', 1700813537);
}
if ($this->statusCode !== 403) {
throw new \RuntimeException(sprintf('Invalid HTTP status code %d for LoginRedirect errorhandler', $this->statusCode), 1700813545);
}
}
}
Adapt the constant
PAGE_ to match the
page ID from the previous step.
Since there is no proper way how to do it otherwise, we put in the page ID
of the login form hard-coded into the file Redirect
and define a constant
PAGE_ for it. In the example
above, this is set to 656.
Hint
This example code uses PHP 8.1 syntax. Depending on the PHP version you use in
your project, you may need to adapt language features like readonly to match your
used PHP version.
In your EXT:felogin plugin, make sure you selected "Defined by GET/POST Parameters" as first redirect mode
Plugin > Redirects tab of Login Form content element
You need to configure the login form that receives your redirect in a
way, that allows to evaluate submitted URL parameters. In EXT:,
this is achieved via this Redirect Mode (which can also be set
through TypoScript configuration, see redirectMode.
Your login form will probably also need to define a specific target page
for normal logins (independent from the error handler redirect), so you
should also add a redirect like login to your list, and set
a target page in redirectPageLogin.
Testing the custom error handler
Clear the caches, for example via the backend module Admin Tools > Maintenance.
Then open any access-restricted page
in an incognito browser window to be sure that
you are not logged in yet. Here we will use the example
URL https://.
When everything is configured correctly and if you are not logged in
yet, then you should be redirected to your login page like
https:// (example page ID 656).
After entering proper frontend user credentials, you should be redirected
back to https://, the page where you
wanted to get to initially.
Hint
When you have multiple site configurations, be sure to access the correct one. This means where both the login form is located, and the custom error handler is configured for.
Hint
Do not copy the generated link from the address URL after you clicked View webpage from the backend, and then just paste it into the URL bar of the incognito window. The reason is that when being logged in to the backend, a possibly simulated frontend user login can affect your tests.
Hint
Do not get confused when the URL
https:// will be forwarded to a URL
like
https://
when you want to access the restricted page in the first place.
These are the getpost redirect parameters that are evaluated by
EXT:. Now type in the user credentials of the already created
frontend user and you should get redirected to the desired
page https://.
This example was taken from [FEATURE] Introduce ErrorHandler for 403 errors with redirect option which works in TYPO3 v11 and v12, and has been integrated to TYPO3 v13, where it can be used without a custom implementation.