Features in TYPO3 11 LTS

Multi-Factor Authentication (MFA)

Introduced in version 11.1

When you log in to the backend of TYPO3, you control a wide range of functions. Depending on your level of access, you can edit the contents of your company’s online presence, change business-critical data, or access highly sensitive user information. This great power needs to be protected so that only you have access to it.

Sometimes, a user name and password is just not secure enough. Multi-factor authentication (MFA) addresses this by adding a second factor to the login process or even multiple factors. The use of two factors is also referred to as two-factor authentication (2FA). When implemented correctly, MFA makes it significantly more difficult for an adversary to gain unauthorized access. That’s why MFA is considered one of the most effective security measures in information systems today.

When introducing an additional authentication method, it’s important to consider the user experience. If the login process becomes too cumbersome and complicated, users don’t configure it and miss out on an increased security level.

With our users at front-of-mind, we implemented a modern, secure, easy-to-use, and flexible MFA solution in TYPO3 version 11.1. You could say: "Your key to the galaxy!"

Once an administrator has activated an MFA provider, backend users can use it as a second authentication method for their login process. Typical providers are, for example, time-based one-time password (TOTP), counter-based one-time password, or WebAuthn. WebAuthn is a state-of-the-art web standard published by the World Wide Web Consortium (W3C) and supported by modern versions of Chrome, Firefox, and Edge browsers.

Following our promise to let TYPO3 site owners customize as many aspects of an instance as possible, the MFA implementation in TYPO3 allows developers to create additional providers. Check out the working examples “mfa_yubikey” (by Torben Hansen), “mfa_hotp” (by Oliver Bartsch), and “mfa_webauthn” (by Benjamin Franzke).

Documentation

>
>

Resizing/Toggling of the Navigation Area

Introduced in version 11.1

Space travelers around the galaxy know how important a user-friendly control panel is. It can save your life if you detect meteor showers early during your journey. As a TYPO3 backend user, your life usually doesn’t depend on it. Still, the option to adjust the backend view to your individual needs makes your day-to-day work easier and more pleasant.

The navigation area has had a fixed width since TYPO3 version 8. This area is the second column from the left in the backend, which shows the page tree (when modules under the “Web” section are accessed) or the file list (section “File”). Sometimes, the fixed width caused problems. In TYPO3 instances with long page titles and page trees with many levels, the contents in this area were cut off.

We reworked this component and reintroduced a resizable navigation area in TYPO3 version 11.1. We also got rid of a lot of JavaScript code.

We moved the icon to collapse and reopen the navigation area inside the panel. This location is now a better place from a usability perspective. You don’t need to readjust the navigation area’s width every time you re-login to the backend. TYPO3 remembers the last setting and restores the previous state on the next login.

By using CSS/Flexbox scaffolding, browsers now load the TYPO3 backend faster. Also, less data is transferred between TYPO3 and the client, which improves performance.

Documentation

>

Working with the Filelist Module

Introduced in version 11.1

The module “Filelist” received a visual overhaul in TYPO3 v11.1. Using the same lightweight technologies as the page tree does, both components now feature a consistent look and feel in the navigation area. This change also means that we removed the iframe that was previously used by the module.

The main benefit is a performance boost, but you will also notice an input field at the top. This field lets you filter down the folder list based on search terms, similar to the page tree filter many backend users are used to in the page tree. The search in the file list even takes file names into account.

Documentation

>

Accessibility Improvements

Introduced in version 11.1

We are continuously striving to improve accessibility so that  people with diverse hearing, movement, sight, and cognitive ability can use the TYPO3 backend.

Following the suggestions by the WAI-ARIA Authoring Practices 1.1, users can now navigate through the main module menu and the help menu by using only their keyboard. This group also includes users with screen readers or similar assistive technology.

Another accessibility improvement is that you can now set an alt-tag for a custom backend login image. To help users comply, a warning is triggered in the deprecation logs when no alt-tag exists.

Documentation

Bootstrap 5 in the TYPO3 Backend

Introduced in version 11.0

As part of a visual refresh, we switched the TYPO3 backend from Bootstrap 3 to 5. Initially released in 2011, Bootstrap is the world’s most popular frontend open-source toolkit today. The decision to use version 5 (which is still a beta-version at the time of writing) puts TYPO3 at the forefront of modern content management systems from a UI perspective.

Backend users won’t need to learn how to use a new user interface with Bootstrap 5. They might, however, notice a few minor usability changes in TYPO3 v11.0. The new Bootstrap version also adds a few accessibility improvements to the TYPO3 backend.

Documentation

Clean-up old Redirects

Introduced in version 11.0

Redirects typically aim to forward your website visitors from an old to a new destination—for example, a page. In many cases, these redirects are only required for a certain amount of time. Site administrators can now configure TYPO3 to automatically remove redirects based on specific criteria, for example, their age, domain, or hit count. Backend users (e.g., editors with appropriate access privileges) can mark redirects as “protected” to prevent their deletion.

Documentation

>

Session Handling

Introduced in version 11.0

As part of streamlining the authentication process I mentioned earlier, we reworked some components of the TYPO3 Core responsible for frontend and backend user authentication. In previous versions of TYPO3, the user session handling was part of the user authentication components of the TYPO3 Core. We reworked these in TYPO3 v11.0 and separated the user object, the authentication process, and the session handling.

We created a dedicated session handling API that offers core and extension developers centralized handling of sessions. The new UserSession object contains all session-related data. Developers should use the UserSessionManager to create new sessions.

Documentation

Dependency Injection (PSR-11)

Introduced in version 11.0

Developers should also observe the development of Extbase’s Dependency Injection (DI). We plan to deprecate and remove the current implementation in Extbase and use the feature offered by the TYPO3 Core instead. This solution is based on the PSR-11 standard and incorporates Symfony’s industry-proven DI concepts.

Documentation

Improved Workspaces

Introduced in version 11.0

The “Workspaces” feature is one of TYPO3’s unique selling points. Workspaces let editors work collaboratively on versioned content of a TYPO3 site and review/preview pages before publishing them. At the most basic level, you can configure permissions so that backend users can only edit content in an isolated workspace. Every change requires a supervisor’s approval, which gives you full control of which content goes live and when. However, TYPO3’s Workspaces are often overlooked—and that’s what we aim to change!

In TYPO3 v11.0, we started to improve the underlying code and addressed some conceptual issues. In further releases, we will stabilize existing functionality, update the documentation, improve the user experience, and introduce new features.

Documentation

Updated PSR Standards

Introduced in version 11.0

I cannot say often enough how vital unified standards are. Using coding guidelines and following official recommendations, we make sure that the TYPO3 Core architecture meets the highest standards and uses state-of-the-art technologies. The PHP Framework Interop Group issues and publishes exactly such standards: the well-known PSR standards. We already adopted a wide range of them and introduced the PSR-11 ContainerInterface, PSR-14 EventDispatchers, and PSR-15 Middlewares in previous TYPO3 versions.

PSR-7 and PSR-17 are not new to the TYPO3 world either. These standards describe common interfaces for representing HTTP messages. In simple terms: how PHP applications receive and generate HTTP requests, and how they should respond to them.

We continuously improve the TYPO3 Core according to these standards and have made PSR-7 Request/Response objects available for extension developers and integrators in even more places—for example, in custom-developed content objects (“cObjects”).

Documentation

Extbase Framework V11

Introduced in version 11.0

This initiative also affects the Extbase framework. To comply with PSR standards, controller actions should return an instance of the “Psr\Http\Message\ResponseInterface” from now on:

Extbase controller actions return ResponseInterface

It may sound like a massive task for extension developers to update their existing code. However, the advantages are apparent. Developers will have much more control over the responses and, using the ResponseFactory, it is easy to adjust the response even further. Have a look at the change log to learn more and look up some examples.

It is worth mentioning that the typical old ResponseInterface behavior (of not returning anything) triggers a deprecation warning in TYPO3 v11, which you find in the logs. Still, it will continue to work for the time being and there is enough time to update your code before it produces an error in TYPO3 v12.

Documentation

>

Fluid Widgets API

Introduced in version 11.0

A particular type of ViewHelpers in Fluid is “widgets”.  Logically they are part of the view, but widgets have their own controller and view. Strictly speaking, the technology violates the design pattern “separation of concern” and causes problems using PSR-7 request objects in Extbase.

Therefore, we decided to drop Fluid ViewHelper widgets, and TYPO3 v11 does not support them anymore. A prominent use-case of a Fluid widget in the TYPO3 Core is the <f:paginate...> ViewHelper. We advise developers to review their extensions and to use the Pagination API instead.

Documentation