Security, Reliability and Compliance

Security is a serious business when it comes to your website, that’s why it’s one of the top priorities for the TYPO3 CMS and community.

Secure Password Reset/Recovery

Introduced in version 10.4

Another notable new feature in TYPO3 v10 LTS is the “password recovery” function for backend users. Previously, administrators created backend user accounts and assigned passwords. They then had to provide the users with their access details. The same applied to cases where users forgot their passwords. From a security perspective, this is not considered state-of-the-art anymore. Administrators should not need to deal with user passwords at all.

In TYPO3 v10 LTS, administrators can trigger a password reset for users in the TYPO3 backend. Backend users are now also able to request a password-reset email in a secure way.

To ensure a high standard, we have built a number of security features into this function.

  • No information about existing users is disclosed.
  • The link in the email is only valid for a limited time.
  • There is a rate limit on how often a recovery email can be requested.

On systems that have special security requirements, the function can also be deactivated for administrator accounts. Alternatively, the function can be completely disabled for all users. This may become relevant in installations with third-party integrations such as LDAP or OAuth.


Frontend Login Improvements

Introduced in version 10.4

The frontend login functionality provides a simple way for users to log in and access restricted areas of a website. The feature has been migrated and uses the Extbase programming framework and the Fluid templating engine in TYPO3 v10 LTS.

This solution offers developers and integrators a few advantages:

Customize the appearance: Update or completely change appearance by simply modifying the Fluid templates. This includes not only the login form and other functions visible at the frontend, but also emails that go out to end-users, for example password recovery emails.

More strict security: Another exciting effect of the switch to Extbase applies to so-called “validators” — a piece of PHP code that is used to validate if a password meets certain security requirements. Developers and integrators alike can now adjust and modify these validators and enforce strict password restrictions.

This enhanced flexibility in TYPO3 v10 LTS allows agencies to highly customize the login functionality for frontend users.


Improved User’s Privacy with SameSite Cookies

Introduced in version 10.3

We cannot stress this enough — in fact I think we have mentioned it in almost every release announcement article over the last few years — security is one of our top priorities and maximum privacy settings are TYPO3’s defaults.

Now TYPO3 supports SameSite cookies to improve users’ privacy. Modern browsers such as Firefox, Chrome, Opera, Microsoft Edge and Safari include this new feature to “mitigate the risk of cross-origin information leakage”, with “some protection against cross-site request forgery attacks” according to the OWASP. Websites and web applications can set a flag with each cookie that declares if the cookie should be restricted to a first-party or same-site context. In other words, we can now define whether to share certain information (e. g. session cookie) with third-party sites if scripts or iframes are used on a site for example.

All cookies sent by TYPO3 now support the SameSite-flag. Frontend session cookies are set to “SameSite=Lax” and backend session cookies as well as Install Tool session and workspace cookies set the more restrictive “SameSite=Strict” flag.

Under a few rare circumstances (for example with OAuth2 or OpenID connect solutions), the default settings might be too strict. For these edge cases, the Install Tool offers a system configuration to adjust the SameSite cookies policies.

By the way, due to its importance and doubtless privacy improvement, the SameSite cookies feature has also been implemented in TYPO3 v8 and v9 earlier this month, so that you can apply enhanced privacy settings even in older versions of TYPO3.


Improved User’s Privacy

Introduced in version 10.2

Widget ViewHelpers set a session cookie in the frontend under certain circumstances, for example when the Autocomplete-ViewHelper is used. To improve user’s privacy and comply with European’s General Data Protection Regulation (EU GDPR), a boolean argument storeSession can be set to enable/disable the cookie.