Commit f31c4ee6 authored by Benni Mack's avatar Benni Mack
Browse files

[!!!][TASK] Remove unused possibility for user-based authentication timeout field

The AbstractUserAuthentication property "auth_timeout_field"
was used in the past (until TYPO3 8.0) to be filled for backend purposes
with "$GLOBALS['TYPO3_CONF_VARS']['BE']['sessionTimeout']"
and for backend with the lifetime field.

This field was not properly filled since TYPO3 v8.0, see
issue #68890 for details.

As the field had a dual-use but now is unused, it is properly
removed as TYPO3 Core never implemented this on a per-userrecord-basis
but handles this via the sessionTimeout propery now.

Resolves: #92802
Related: #68890
Releases: master
Change-Id: I760b50a292b93229bbebffac08e11393fe53393f

Tested-by: default avatarTYPO3com <>
Tested-by: Markus Klein's avatarMarkus Klein <>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <>
Tested-by: Benni Mack's avatarBenni Mack <>
Reviewed-by: Markus Klein's avatarMarkus Klein <>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <>
Reviewed-by: Benni Mack's avatarBenni Mack <>
parent daa1216a
......@@ -142,13 +142,6 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
public $sessionTimeout = 0;
* Name for a field to fetch the server session timeout from.
* If not empty this is a field name from the user table where the timeout can be found.
* @var string
public $auth_timeout_field = '';
* Lifetime for the session-cookie (on the client)
......@@ -935,15 +928,9 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
$userRecord['ses_tstamp'] = (int)$userRecord['ses_tstamp'];
$userRecord['is_online'] = (int)$userRecord['ses_tstamp'];
if (!empty($this->auth_timeout_field)) {
// Get timeout-time from usertable
$timeout = (int)$userRecord[$this->auth_timeout_field];
} else {
$timeout = $this->sessionTimeout;
// If timeout > 0 (TRUE) and current time has not exceeded the latest sessions-time plus the timeout in seconds then accept user
// If sessionTimeout > 0 (TRUE) and current time has not exceeded the latest sessions-time plus the timeout in seconds then accept user
// Use a gracetime-value to avoid updating a session-record too often
if ($timeout > 0 && $GLOBALS['EXEC_TIME'] < $userRecord['ses_tstamp'] + $timeout) {
if ($this->sessionTimeout > 0 && $GLOBALS['EXEC_TIME'] < $userRecord['ses_tstamp'] + $this->sessionTimeout) {
$sessionUpdateGracePeriod = 61;
if (!$skipSessionUpdate && $GLOBALS['EXEC_TIME'] > ($userRecord['ses_tstamp'] + $sessionUpdateGracePeriod)) {
// Update the session timestamp by writing a dummy update. (Backend will update the timestamp)
.. include:: ../../Includes.txt
Breaking: #92802 - User-database-based authentication timeout field removed
See :issue:`92802`
The AbstractUserAuthentication object had the possibility to
theoretically use a database field where a session timeout value
for the session storage could be set, however this was never implemented but
rather separated into a separate property called `sessionTimeout`.
This functionality, together with the public property
:php:`auth_timeout_field` has been removed.
Setting the property via a custom extension will result in a PHP warning, as
the property does not exist anymore.
In addition, this property is never evaluated anymore when determining the
session timeout.
Affected Installations
TYPO3 installations that used third-party code to modify the session timeout
value based on a database field, which relied on the public property for
implementation purposes.
Use a custom implementation with custom hooks or custom authentication provider
to achieve the same results.
.. index:: PHP-API, FullyScanned, ext:core
......@@ -700,4 +700,9 @@ return [
'TYPO3\CMS\Core\Authentication\AbstractUserAuthentication->auth_timeout_field' => [
'restFiles' => [
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment