2.1.1¶
Refine Csrf by leveraging FormProtectionFactory
Before we used just user session identifier as a CSRF token which is considered as sensitive information disclosure.
So now we’ve changed it. No action is required from end user. Csrf token gets regenerated for each page reload in
Production mode
.Avoid middleware execution
I’ve had a community request to change it from
debug
to something else as debug key getting used for different reasons as well. Those who use this feature in development mode, please usedisableRoutesMiddleware
instead.// Before $GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = true; // Now $GLOBALS['TYPO3_CONF_VARS']['FE']['disableRoutesMiddleware'] = true;
Simplify VerifyAdminBackendSession