1. Refine Csrf by leveraging FormProtectionFactory

    Before we used just user session identifier as a CSRF token which is considered as sensitive information disclosure.

    So now we’ve changed it. No action is required from end user. Csrf token gets regenerated for each page reload in Production mode.

  2. Avoid middleware execution

    I’ve had a community request to change it from debug to something else as debug key getting used for different reasons as well. Those who use this feature in development mode, please use disableRoutesMiddleware instead.

    // Before
    $GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = true;
    // Now
    $GLOBALS['TYPO3_CONF_VARS']['FE']['disableRoutesMiddleware'] = true;
  3. Simplify VerifyAdminBackendSession