felogin
typo3/cms-felogin
13.4
en
TYPO3 contributors
This document is published under the Open Content License.
Tue, 08 Jul 2025 09:27:25 +0000
This extension provides a template-based plugin that allows website users to log in to the TYPO3 frontend.
Table of Contents:
The Frontend Login for Website Users (felogin) extension is a general purpose extension for frontend logins. In addition to the actual login box, it includes several methods for redirecting after login/logout and includes forgot password functionality.
The plugin's general settings
Configuration of the redirection options
Hint
Be sure that in the overall Access tab under User Group Access rights the content
element and even the page itself is not set to Hide at login, otherwise the redirect
to the given page will not work.
Configuration of the various messages (screenshot shows not all options)
This extension is part of the TYPO3 Core, but not installed by default.
Table of contents
Check whether you are already using the extension with:
composer show | grep feloginThis should either give you no result or something similar to:
typo3/cms-felogin v12.4.11If it is not installed yet, use the composer require command to install
the extension:
composer require typo3/cms-feloginThe given version depends on the version of the TYPO3 Core you are using.
In an installation without Composer, the extension is already shipped but might not be activated yet. Activate it as follows:
Extension manager showing Frontend Login extension
The felogin extension requires no special configuration. All options are available in the plugin's FlexForm as shown in the Screenshots.
The felogin plugin is available through the Content Wizard as Login Form:
The Login Form plugin in the content element wizard
In order for Website Users to be able to log in, the "Frontend login" plugin must know where the records are stored. There are two possibilities for setting this storage folder:
The site's integrator may have set a default value for the User Storage Page or using the Settings editor. If you use the default folder to store frontend users in your project there is nothing to do here.
If your project needs multiple storage folders for frontend users or if there is no default storage folder set, see Example: Override the default storage page in the plugin's FlexForm.
A very common issue is, that the felogin plugin is set to Access: Hide at login. After the core has processed the login request, the page will be rendered without the felogin plugin. If there are redirect options active they will not be executed, simply because the felogin plugin is hidden.
Of course setting the felogin plugin to Hide at login and having redirect options together doesn't really makes sense.
In order to properly use the felogin plugin and its advanced capabilities (such as redirect options) it is important to understand the mechanism of frontend user login in TYPO3 CMS.
If there is no frontend user logged in, the login form will be shown.
If there is a logged in frontend user, the logout form is shown.
If the forgot password link was used, the form to reset a password based on username or email address will be shown.
If the password reset link was followed from an email, the form to change the password will be shown.
After the form is submitted the TYPO3 CMS authentication services will validate the login credentials. After this process felogin will handle the rest. This means that the felogin plugin must be visible for the user who has logged in.
Felogin will then check any redirect options and generate the appropriate content.
Caution
The following redirect options are supported.
Within a Website usergroup record, you can specify a page where usergroup members will be redirected after login.
This is identical to the redirection option for "defined by Usergroup Record" but applies to a single website user instead of an entire user group.
This redirect page is set either in TypoScript
(
plugin.) or in the
FlexForm of the felogin plugin.
Defines the redirect page after a user has logged out. Again, it can be set in TypoScript or in the felogin plugin's FlexForm.
Defines the redirect page after a login error occurs. Can be set in TypoScript or in the felogin plugin's FlexForm.
Redirect the visitor based on the GET/POST parameters redirect_.
If the TypoScript configuration
config. is set, the GET/POST
parameter redirect_ is used.
Example url:
https://example.org/index.php?id=12&redirect_url=https%3A%2F%2Fexample%2Eorg%2Fdestiny%2FThe referrer page is used for the redirect. This basically means that the user is sent back to the page he originally came from.
Same as Defined by Referrer, except that only the domains listed in
plugin. are allowed. If someone is sent to the
login page coming from a domain which is not listed, the redirect will
not happen.
By using the option Use First Supported Mode from Selection you can define several fallback methods.
Note
It is only possible to use domains, which are known to TYPO3. This means,
that domains must be configured as base in site settings for websites
in the current TYPO3 instance.
All configuration options are available in the FlexForm, as settings of the site set and as TypoScript setup.
The settings are interpreted in the following order, the last one takes precedence:
Topics
New in version 13.3
The new backend module Site Management > Settings provides an overview of sites which offer configurable settings and makes them editable.
When the site set for the frontend login is included, the settings for EXT:felogin become available in the editor.
You can find the available site settings in module Site Management > Settings
You can change individual settings here. If the site settings are writable you can hit the Save button and the settings will be written directly to the site settings.
If the settings are not writable you can click the YAML export button to export the settings. These can then be added by a developer with sufficient rights.
The available settings are also described in detail in Settings for the "Frontend Login" site set.
New in version 13.1
Site sets were added.
The system extension typo3/cms-felogin provides the site set "Frontend Login".
The different methods of setting are taking precedence in the following order:
Content on this page
Include the site set "Frontend Login" via the site set in the site configuration or the custom site package's site set.
Add the site set "Frontend Login"
This will change your site configuration file as follows:
base: 'https://example.com/'
rootPageId: 1
dependencies:
+ - typo3/felogin
- typo3/fluid-styled-content-css
If your site has a custom site package, you can also add the "Frontend Login" set as dependency in your site set's configuration:
New in version 13.1
These settings were added with the site sets in TYPO3 v13.1.
See also: Example: Set the user storage page using the site set settings.
If you plan to migrate from TypoScript setup settings to site settings see Migration from TypoScript setup settings to site settings.
These settings can be adjusted in the Settings editor.
| Name | Type | Label |
|---|---|---|
| Frontend Login | ||
string
|
User Storage Page | |
string
|
Recursive | |
bool
|
Display Password Recovery Link | |
bool
|
Display Remember Login Option | |
bool
|
Disable redirect after successful lo... | |
string
|
Email Sender Address | |
string
|
Email Sender Name | |
string
|
Reply-to email Address | |
string
|
Date format | |
string
|
Layout root path | |
string
|
Template root path | |
string
|
Partial root path | |
string
|
Template name for emails. | |
string
|
Redirect Mode | |
bool
|
Use First Supported Mode from Select... | |
int
|
After Successful Login Redirect to P... | |
int
|
After Failed Login Redirect to Page | |
int
|
After Logout Redirect to Page | |
bool
|
Disable Redirect | |
int
|
Time in hours how long the link for ... | |
string
|
Allowed Referrer-Redirect-Domains | |
bool
|
Expose existing users | |
string
|
Path to template root (frontend) | |
string
|
Path to template partials (frontend) | |
string
|
Path to template layouts (frontend) |
string
"0"
Define the Storage Folder with the Website User Records, using a comma separated list or single value
string
"0"
If set, also subfolder at configured recursive levels of the User Storage Page will be used
bool
false
If set, the section in the template to display the link to the forgot password dialog is visible.
bool
false
If set, the section in the template to display the option to remember the login (with a cookie) is visible.
bool
false
If set, the logout form will be displayed immediately after successful login.
string
email address used as sender of the change password emails
string
Name used as sender of the change password emails
string
Reply-to address used in the change password emails
string
"Y-m-d H:i"
Format for the link is valid until message (forgot password email)
string
Path to layout directory used for emails
string
"EXT:felogin/Resources/Private/Email/Templates/"
Path to template directory used for emails
string
Path to partial directory used for emails
string
"PasswordRecovery"
HTML emails get the .html file extension, plaintext emails get the .txt file extension.
string
Comma separated list of redirect modes.\ Possible values: groupLogin, userLogin, login, getpost, referer, refererDomains, loginError, logout.\ Warning: redirects only work if neither the plugin nor the page it is displayed on are set to `hide at login`.
bool
false
If set the first method from redirectMode which is possible will be used
int
0
Page id to redirect to after Login
int
0
Page id to redirect to after Login Error
int
0
Page id to redirect to after Logout
bool
false
If set redirecting is disabled
int
12
How many hours the link for forgot password is valid
string
Comma separated list of domains which are allowed for the referrer redirect mode
bool
false
Expose the information on whether or not the account for which a new password was requested exists. By default, that information is not disclosed for privacy reasons.
string
Path to template directory used for the plugin in the frontend. Extends the default template location.
string
Path to partial directory for the plugin in the frontend. Extends the default partial location.
string
Path to layout directory used for the plugin in the frontend. Can be used to introduce a custom layout.
The site settings are named like the TypoScript constants used before site sets. However the TypoScript constants are not always named the same like the TypoScript setup settings.
For each TypoScript setup / FlexForm setting we list the corresponding site set setting in the overview table of the configuration values.
For example, the setting felogin.pid sets setting pages.
Bear that in mind when migrating from TypoScript setup to site set settings.
After you included the site set you can use the site set settings to configure the frontend login plugin's behaviour and layout site-wide.
See also Adding site settings.
You can add the settings to your Site settings or to the settings of your custom site package extension.
To add the settings to your site settings, edit the file
config/ in Composer-based installations
or typo3conf/ in legacy installations. If
the file does not exist yet, create one. Use the setting
felogin.pid to set the storage folder. If
its subfolders should also be included, additionally use setting
felogin.recursive.
Content on this page
Most of these plugin settings can be set with the following methods, the top bottom most taking precedence:
See also Example: Override the default storage page in the plugin's FlexForm.
| Name | Type | Site set setting |
|---|---|---|
| bool | ||
| bool | ||
| bool | ||
| string | felogin.pid | |
| int | felogin.recursive | |
| string | felogin.redirectMode | |
| bool | felogin.redirectFirstMethod | |
| integer | felogin.redirectPageLogin | |
| integer | felogin.redirectPageLoginError | |
| integer | 1 | |
| bool | felogin.redirectPageLogout | |
| date-conf | felogin.dateFormat | |
| string | ||
| string | ||
| string | felogin.email.templateName | |
| array | felogin.email.templateRootPath | |
| array | felogin.email.templateRootPath | |
| array | felogin.email.partialRootPath | |
| bool | felogin.exposeNonexistentUserInForgotPasswordDialog | |
| integer | felogin.forgotLinkHashValidTime | |
| string |
If set, the section in the template to display the link to the forgot password dialogue is visible.
Important
Be aware that having this option disabled also prevents the plugin to display the forgot password form. For instance if you access the link directly.
If set, the section in the template to display the option to remember the login (with a cookie) is visible.
If set, the logout form will be displayed immediately after successful login.
Note
Setting this option will disable the redirect options! Instead of redirecting the plugin will show the logout form.
Define the User Storage Page with the Website User Records, using a comma separated list or a single value (page id).
If set, also any subfolders of the User Storage Page will be used at configured recursive levels
Comma separated list of redirect modes. Possible values:
groupLogin, userLogin, login, getpost, referer,
refererDomains, loginError, logout
See section on redirect modes for details.
If set the first method from redirectMode which is possible will be used
Page id to redirect to after Login
Page id to redirect to after Login Error
Page id to redirect to after Logout
If set redirecting is disabled
Format for the link is valid until message (forgot password email)
Email address used as sender of the change password emails
Name used as sender of the change password emails
Template name for emails. Plaintext emails get the .txt file extension.
Path to layout directory used for emails
Path to template directory used for emails
Path to partial directory used for emails
If set and the user account cannot be found in the forgot password dialogue, an error message will be shown that the account could not be found. .. warning:: Enabling this will disclose information about whether an email address is actually used for a frontend user account! Visitors can find out if a user is known as frontend user.
Time in hours how long the link for forgot password is valid
Comma separated list of domains which are allowed for the referrer redirect mode
You can use the TypoScript provider or other means of setting the TypoScript constants.
Changed in version 13.1
It is recommended to use the Settings for the "Frontend Login" site set instead, as TypoScript constants will be phased out in the future.
In order to set the default storage page to a more dynamic value, use
the TypoScript setup. Use the TypoScript provider
or other means of ref:setting the Typo.
If you set any FlexForm setting within the content element representing the plugin to a non-empty value it will override any other setting not matter if it is made via site settings, TypoScript constant ot TypoScript setup. Empty values take no effect if a default was set by other means.
In the backend module Web > Page edit the content element containing the login form. Go to tab Plugin and sub tab General. You should see a form similar to the following:
Settings in the tab General of the plugin tab
Choose the desired page or pages in the field with label User Storage Page (key settings.pages).
Tip
It is sometimes hard to determine, which label in the FlexForm corresponds to which key in the FlexForm reference.
Turn on the backend debug mode to get a visual hint in the backend for the keys of the FlexForm field.
The corresponding FlexForm field settings.pages in backend debug mode.
The extension uses several GET and POST parameters to define or override redirect settings.
1, no redirect will be processed after a successful
login.The following PSR-14 events are available to extend the extension:
Trigger any kind of action when a frontend user has been successfully logged in. More details
Notification before a redirect is made. More details
A notification when a log in has successfully arrived at the plugin, via the view and the controller, multiple information can be overridden in event listeners. More details
A notification if something went wrong while trying to log in a user. More details
A notification when a log out has successfully arrived at the plugin, via the view and the controller, multiple information can be overridden in event listeners. More details
Allows to inject custom variables into the login form. More details
Event that contains information about the password which was set, and is about to be stored in the database. More details
Event that contains the email to be sent to the user when they request a new password. More details
In this section some common situations are described:
A common situation is that visitors who go to a page with access restrictions should go to a login page first and after logging in should be send back to the page they originally requested.
Assume we have a login page with id 2.
Using TypoScript we can still display links to access restricted pages and send visitors to the login page:
config {
typolinkLinkAccessRestrictedPages = 2
typolinkLinkAccessRestrictedPages_addParams = &return_url=###RETURN_URL###
}On the login page the login form must be configured to redirect to the original page:
plugin.tx_felogin_login.settings.redirectMode = getpost(This option can also be set in the flexform configuration of the felogin content element)
If visitors will directly enter the URL of an access restricted page they will be sent to the first page in the rootline to which they have access. Sending those direct visits to a login page is not a job of the felogin plugin, but requires a custom page-not-found handler. In this sense, we refer to Custom error handler implementation for 403 redirects.
Again TypoScript will help you out. The page with the login form has id=2:
10 = TEXT
10 {
value = Login
typolink.parameter = 2
}
[frontend.user.isLoggedIn]
10.value = Logout
10.typolink.additionalParams = &logintype=logout
[end]Of course there can be solutions with
HMENU items, etc.
This section explains how to utilize a custom error handler to catch 403 restricted page errors and allow to forward to a login form, and then redirect back to the originating page after successful login.
You need the following site settings in the error handling
Error Handling tab of Site Configuration module
There you add the custom 403 error handler and configure the error handler, you create in the following steps.
See also
Look up the page ID where a login form (like with EXT:felogin) is placed
This page ID is needed in the following step, so that the error handler will know, where to forward an unauthenticated user to, so that a login can be performed.
Ideally, this should be done by configuring a page ID via the site settings, and referring back to a named ID. See PHP API: accessing site configuration for more information. For reduced complexity, this example uses a hard-coded page ID.
Create a new error handler Redirect
Create a PHP error handler class like the following in a custom extension, like your own sitepackage:
<?php
declare(strict_types=1);
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
namespace MyVendor\MySitePackage\Error\PageErrorHandler;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use TYPO3\CMS\Core\Context\Context;
use TYPO3\CMS\Core\Controller\ErrorPageController;
use TYPO3\CMS\Core\Error\PageErrorHandler\PageErrorHandlerInterface;
use TYPO3\CMS\Core\Http\HtmlResponse;
use TYPO3\CMS\Core\Http\RedirectResponse;
use TYPO3\CMS\Core\LinkHandling\LinkService;
use TYPO3\CMS\Core\Site\Entity\Site;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Frontend\Page\PageAccessFailureReasons;
/**
* An error handler that redirects to a configured page, where the login
* process is handled. Passes a configurable URL parameter (`return_url` or
* `redirect_url`) to the target page.
*/
final class RedirectLoginErrorHandler implements PageErrorHandlerInterface
{
private const PAGE_ID_LOGIN_FORM = 656;
private readonly int $loginRedirectPid;
private readonly string $loginRedirectParameter;
private readonly Context $context;
private readonly LinkService $linkService;
private readonly ErrorPageController $errorPageController;
public function __construct(private readonly int $statusCode)
{
$configuration = [
// TODO: Replace with $siteSettings[...] or something else
'loginRedirectTarget' => 't3://page?uid=' . self::PAGE_ID_LOGIN_FORM,
'loginRedirectParameter' => 'return_url',
];
$this->context = GeneralUtility::makeInstance(Context::class);
$this->linkService = GeneralUtility::makeInstance(LinkService::class);
$this->errorPageController = GeneralUtility::makeInstance(ErrorPageController::class);
$urlParams = $this->linkService->resolve($configuration['loginRedirectTarget']);
$this->loginRedirectPid = (int)($urlParams['pageuid'] ?? 0);
$this->loginRedirectParameter = $configuration['loginRedirectParameter'];
}
public function handlePageError(
ServerRequestInterface $request,
string $message,
array $reasons = []
): ResponseInterface {
$this->checkHandlerConfiguration();
if ($this->shouldHandleRequest($reasons)) {
return $this->handleLoginRedirect($request);
}
// Show general error message with a 403 HTTP status code
return $this->getGenericAccessDeniedResponse($message);
}
private function getGenericAccessDeniedResponse(string $reason): ResponseInterface
{
$reason = $reason ? ' Reason: ' . $reason : '';
$content = $this->errorPageController->errorAction(
'Page Not Found',
sprintf('The page did not exist or was inaccessible.%s', $reason),
0,
$this->statusCode,
);
return new HtmlResponse($content, $this->statusCode);
}
private function handleLoginRedirect(ServerRequestInterface $request): ResponseInterface
{
if ($this->isLoggedIn()) {
return $this->getGenericAccessDeniedResponse(
'The requested page was not accessible with the provided credentials'
);
}
/** @var Site $site */
$site = $request->getAttribute('site');
$language = $request->getAttribute('language');
$loginUrl = $site->getRouter()->generateUri(
$this->loginRedirectPid,
[
'_language' => $language,
$this->loginRedirectParameter => (string)$request->getUri(),
]
);
return new RedirectResponse($loginUrl);
}
private function shouldHandleRequest(array $reasons): bool
{
if (!isset($reasons['code'])) {
return false;
}
$accessDeniedReasons = [
PageAccessFailureReasons::ACCESS_DENIED_PAGE_NOT_RESOLVED,
PageAccessFailureReasons::ACCESS_DENIED_SUBSECTION_NOT_RESOLVED,
];
$isAccessDenied = in_array($reasons['code'], $accessDeniedReasons, true);
return $isAccessDenied || $this->isSimulatedBackendGroup();
}
private function isLoggedIn(): bool
{
if ($this->context->getPropertyFromAspect('frontend.user', 'isLoggedIn')) {
return true;
}
return $this->isSimulatedBackendGroup();
}
protected function isSimulatedBackendGroup(): bool
{
if (!$this->context->getPropertyFromAspect('backend.user', 'isLoggedIn')) {
return false;
}
// look for special "any group"
$groups = $this->context->getPropertyFromAspect('frontend.user', 'groupIds');
return $groups[1] === -2;
}
private function checkHandlerConfiguration(): void
{
if ($this->loginRedirectPid === 0) {
throw new \RuntimeException('No loginRedirectTarget configured for LoginRedirect errorhandler', 1700813537);
}
if ($this->statusCode !== 403) {
throw new \RuntimeException(sprintf('Invalid HTTP status code %d for LoginRedirect errorhandler', $this->statusCode), 1700813545);
}
}
}
Adapt the constant
PAGE_ to match the
page ID from the previous step.
Since there is no proper way how to do it otherwise, we put in the page ID
of the login form hard-coded into the file Redirect
and define a constant
PAGE_ for it. In the example
above, this is set to 656.
Hint
This example code uses PHP 8.1 syntax. Depending on the PHP version you use in
your project, you may need to adapt language features like readonly to match your
used PHP version.
In your EXT:felogin plugin, make sure you selected "Defined by GET/POST Parameters" as first redirect mode
Plugin > Redirects tab of Login Form content element
You need to configure the login form that receives your redirect in a
way, that allows to evaluate submitted URL parameters. In EXT:,
this is achieved via this Redirect Mode (which can also be set
through TypoScript configuration, see redirectMode.
Your login form will probably also need to define a specific target page
for normal logins (independent from the error handler redirect), so you
should also add a redirect like login to your list, and set
a target page in redirectPageLogin.
Testing the custom error handler
Clear the caches, for example via the backend module Admin Tools > Maintenance.
Then open any access-restricted page
in an incognito browser window to be sure that
you are not logged in yet. Here we will use the example
URL https://.
When everything is configured correctly and if you are not logged in
yet, then you should be redirected to your login page like
https:// (example page ID 656).
After entering proper frontend user credentials, you should be redirected
back to https://, the page where you
wanted to get to initially.
Hint
When you have multiple site configurations, be sure to access the correct one. This means where both the login form is located, and the custom error handler is configured for.
Hint
Do not copy the generated link from the address URL after you clicked View webpage from the backend, and then just paste it into the URL bar of the incognito window. The reason is that when being logged in to the backend, a possibly simulated frontend user login can affect your tests.
Hint
Do not get confused when the URL
https:// will be forwarded to a URL
like
https://
when you want to access the restricted page in the first place.
These are the getpost redirect parameters that are evaluated by
EXT:. Now type in the user credentials of the already created
frontend user and you should get redirected to the desired
page https://.
This example was taken from [FEATURE] Introduce ErrorHandler for 403 errors with redirect option which works in TYPO3 v11 and v12, and has been integrated to TYPO3 v13, where it can be used without a custom implementation.