Skip to main content Skip to page footer
ephra.im Logo ephra.im Logo

After upgrade to TYPO3 10.4.33 - Frontend Login problems while working without Extbase

    |   Projects  Web development   |    Manual Coding Extbase Frontend PHP TYPO3

When updating your TYPO3 10.4 installation to version 10.4.33 your frontend login will not work if you're using it without Extbase or with custom login plugins. Here I will describe how to solve it and what to do to prepare it for future upgrades.

When updating your TYPO3 from TYPO3 10.4.32 to the current version 10.4.33 (security update) and using the frontend login without Extbase, your website user will get problems to login in frontend because the submit of the storage folder in the login form has changed.

Only a short after the release of TYPO3 10.4.33 the new version 10.4.34 was released. The new release contains a better backwards compatibility and provides additional configuration options.

One of these patches contains the following information:

==================================================================================
Important: #99366 - Add backward compatibility handling for frontend login signing
==================================================================================

See :issue:`99366`

Description
===========

The security fix for `https://typo3.org/security/advisory/typo3-core-sa-2022-013 <TYPO3-CORE-SA-2022-013>`_
enforced the `pid` HTTP parameter to be signed via HMAC during the frontend user authentication process.

It occurred that custom authentication services suffered from this strict requirements. To provide better
backward compatibility for those individual scenarios, the new `security.frontend.enforceLoginSigning`
feature flag has been introduced, which is enabled per default, but can be disabled individually.

.. code-block: php

    // disable signing the `pid` parameter for backward compatibility
    $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.enforceLoginSigning'] = false;

.. index:: Frontend, ext:felogin

This means, it's now possible to add a configuration e.g. in LocalConfiguration.php oder in der AdditionalConfiguration.php to disable a functionality which basically provides a better security in the TYPO3 frontend login. With

$GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.enforceLoginSigning'] = false;

you can disable this setting and the use of the frontend login should be now possible again with external login extensions or without Extbase.

Important: Basically I suggest to migrate your Frontend-Login to Extbase because with TYPO3 11.5 it will not work anymore without it or without additional configuration. You can find the switch in your Admin tools also in TYPO3 10.4 in the backend via Settings/Feature Toggles.

Back

Related Links