TYPO3 Core

'warning_mode' => '', // Bit 1: If set, warning_email_addr gets a mail everytime a user logs in. Bit 2: If set, a mail is sent if an ADMIN user logs in! Other bits reserved for future options.

'lockIP' => 4, // Integer (0-4). Session IP locking for backend users. See [FE][lockIP] for details. Default is 4 (which is locking the FULL IP address to session).

'sessionTimeout' => 3600, // Integer, seconds. Session time out for backend users. Default is 3600 seconds = 1 hour.

'IPmaskList' => '', // String. Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function t3lib_div::cmpIP())

'lockBeUserToDBmounts' => 1, // Boolean. If set, the backend user is allowed to work only within his page-mount. It's advisable to leave this on because it makes security easy to manage.

'lockSSL' => 0, // Int. 0,1,2,3: If set (1,2,3), the backend can only be operated from an ssl-encrypted connection (https). Set to 2 you will be redirected to the https admin-url supposed to be the http-url, but with https scheme instead. If set to 3, only the login is forced to SSL, then the user switches back to non-SSL-mode

'userFuncClassPrefix' => 'user_', // This prefix must be the first part of any function or class name called from TypoScript, for instance in the stdWrap function.

'addRootLineFields' => '', // Comma-list of fields from the 'pages'-table. These fields are added to the select query for fields in the rootline.

'checkFeUserPid' => 1, // Boolean. If set, the pid of fe_user logins must be sent in the form as the field 'pid' and then the user must be located in the pid. If you unset this, you should change the fe_users.username eval-flag 'uniqueInPid' to 'unique' in $TCA. This will do: $TCA['fe_users']['columns']['username']['config']['eval']= 'nospace,lower,required,unique';

'lockIP' => 2, // Integer (0-4). If >0, fe_users are locked to (a part of) their REMOTE_ADDR IP for their session. Enhances security but may throw off users that may change IP during their session (in which case you can lower it to 2 or 3). The integer indicates how many parts of the IP address to include in the check. Reducing to 1-3 means that only first, second or third part of the IP address is used. 4 is the FULL IP address and recommended. 0 (zero) disables checking of course.

'loginSecurityLevel' => '', // See description for TYPO3_CONF_VARS[BE][loginSecurityLevel]. Default state for frontend is "normal". Alternative authentication services can implement higher levels if preferred. For example, "rsa" level uses RSA password encryption (only if the rsaauth extension is installed)

'lifetime' => 0, // Integer, positive. If >0, the cookie of FE users will have a lifetime of the number of seconds this value indicates. Otherwise it will be a session cookie (deleted when browser is shut down). Setting this value to 604800 will result in automatic login of FE users during a whole week, 86400 will keep the FE users logged in for a day.

function start() {

$securityLevel = trim($GLOBALS['TYPO3_CONF_VARS']['BE']['loginSecurityLevel']);

$this->security_level = $securityLevel ? $securityLevel : 'superchallenged';

parent::start();

}

var $getMethodEnabled = FALSE; // Setting this flag true lets user-authetication happen from GET_VARS if POST_VARS are not set. Thus you may supply username/password from the URL.

var $lockIP = 4; // If set, will lock the session to the users IP address (all four numbers. Reducing to 1-3 means that only first, second or third part of the IP address is used).

var $lockHashKeyWords = 'useragent'; // Keyword list (commalist with no spaces!): "useragent". Each keyword indicates some information that can be included in a integer hash made to lock down usersessions.

var $warningEmail = ''; // warning -emailaddress:

var $warningPeriod = 3600; // Period back in time (in seconds) in which number of failed logins are collected

}

// If we're lucky we'll get to clean up old sessions....

$this->gc();

}

var $sendNoCacheHeaders = 0;

var $getFallBack = 1; // If this is set, authentication is also accepted by the _GET. Notice that the identification is NOT 128bit MD5 hash but reduced. This is done in order to minimize the size for mobile-devices, such as WAP-phones

var $getMethodEnabled = 1; // Login may be supplied by url.

var $usergroup_column = 'usergroup';

var $usergroup_table = 'fe_groups';

* @see t3lib_userAuth::start()

*/

function start() {

if (intval($this->auth_timeout_field)>0 && intval($this->auth_timeout_field) < $this->lifetime) {

// If server session timeout is non-zero but less than client session timeout: Copy this value instead.

$this->auth_timeout_field = $this->lifetime;

$GLOBALS['TYPO3_DB']->sql_free_result($dbres);

}

// delete old data:

$timeoutTimeStamp = intval($GLOBALS['EXEC_TIME'] - $this->sessionDataLifetime);

$GLOBALS['TYPO3_DB']->exec_DELETEquery('fe_session_data', 'tstamp < ' . $timeoutTimeStamp);

}