PHPackages                             wapplersystems/multisite-belogin - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. wapplersystems/multisite-belogin

ActiveTypo3-cms-extension[Authentication &amp; Authorization](/categories/authentication)

wapplersystems/multisite-belogin
================================

Cross site/domain backend login for TYPO3. It allows backend users to work in the frontend across domains.

14.1.1(1mo ago)935.8k↓14.9%6[3 issues](https://github.com/WapplerSystems/t3-multisite_belogin/issues)[1 PRs](https://github.com/WapplerSystems/t3-multisite_belogin/pulls)2GPL-2.0-or-laterPHPPHP ^8.2

Since Aug 19Pushed 1mo ago1 watchersCompare

[ Source](https://github.com/WapplerSystems/t3-multisite_belogin)[ Packagist](https://packagist.org/packages/wapplersystems/multisite-belogin)[ Docs](https://github.com/WapplerSystems/t3-multisite_belogin)[ RSS](/packages/wapplersystems-multisite-belogin/feed)WikiDiscussions release/v14 Synced 2d ago

READMEChangelogDependencies (2)Versions (23)Used By (2)

Multisite Backend Login
=======================

[](#multisite-backend-login)

TYPO3 extension for automatic cross-domain backend login. Allows editors to use backend tools (e.g. frontend preview) across all configured site domains without separate login per domain.

Requirements
------------

[](#requirements)

- TYPO3 v14+
- PHP 8.2+
- Backend must be accessed via HTTPS

Installation
------------

[](#installation)

```
composer require wapplersystems/multisite-belogin
```

Add the `refresh` GET parameter to the cacheHash exclusion list in `config/system/settings.php`:

```
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['excludedParameters'][] = 'refresh';
```

How it works
------------

[](#how-it-works)

When an editor clicks "View page" in the TYPO3 backend, the target page may be on a different domain than the backend. Without this extension, the editor would not be authenticated on that domain and could not see unpublished content or use the admin panel.

This extension solves this by:

1. **Token generation** -- When the editor triggers a frontend preview, a short-lived token (60s TTL) is generated and stored in the backend session.
2. **Redirect** -- The preview URL is rewritten to pass through the token authentication endpoint (`/typo3/msbl/tokenauth`) with the token, user ID, and original target URL.
3. **Token validation** -- The middleware intercepts the request, validates the token against the stored session data, and authenticates the user.
4. **Cookie propagation** -- A backend session cookie with `SameSite=None` is set on the response, enabling cross-domain authentication.
5. **Redirect to target** -- The editor is redirected to the original preview URL, now fully authenticated.

Architecture
------------

[](#architecture)

### Authentication flow

[](#authentication-flow)

```
Backend (domain-a.com)                    Frontend (domain-b.com)
        |                                         |
        |  1. Editor clicks "View page"           |
        |  2. Token generated + stored in session  |
        |  3. Redirect to /typo3/msbl/tokenauth   |
        |         with ?msblToken=...&userid=...   |
        |  ─────────────────────────────────────>  |
        |                                         |  4. Middleware validates token
        |                                         |  5. BE session cookie set
        |                                         |  6. Redirect to target page
        |                                         |

```

### Components

[](#components)

ComponentDescription`TokenGenerator`Generates 40-char random hex tokens via `TYPO3\CMS\Core\Crypto\Random``TokenAuthenticationService`TYPO3 auth service (`subtype: getUserBE,authUserBE`) that validates tokens against stored sessions`TokenLoginAuthenticator`PSR-15 middleware on `/typo3/msbl/tokenauth` -- validates token, sets session cookie, redirects`LoginController`Backend route `/msbl/redirectToFrontend` -- generates token, stores in session, builds redirect URL`TokenController`Backend route for programmatic token generation (JSON API)`AfterPagePreviewUriGeneratedEventListener`Rewrites preview URIs to route through the token auth endpoint`BeforeUserLogoutEventListener`On logout: removes all other sessions for the user`AfterUserLoggedOutEventListener`On logout: cleanup of all remaining sessions`UserSessionManager`Extends core `UserSessionManager` to expose the session backend for direct session access### Configuration files

[](#configuration-files)

FilePurpose`Configuration/Backend/Routes.php`Registers `/msbl/redirectToFrontend` and `/msbl/tokenauth` backend routes`Configuration/RequestMiddlewares.php`Registers `TokenLoginAuthenticator` before backend routing`Configuration/Services.yaml`DI config + event listener registration`Configuration/Icons.php`Toolbar and module iconsSecurity considerations
-----------------------

[](#security-considerations)

- Tokens are cryptographically random (40-char hex)
- Tokens expire after 60 seconds
- Token validation uses safe `unserialize()` with `allowed_classes: false`
- Session cookies are set with `SameSite=None` (requires HTTPS)
- Failed login attempts are logged via PSR-3 logger

License
-------

[](#license)

GPL-2.0-or-later

###  Health Score

55

—

FairBetter than 97% of packages

Maintenance83

Actively maintained with recent releases

Popularity38

Limited adoption so far

Community20

Small or concentrated contributor base

Maturity66

Established project with proven stability

 Bus Factor1

Top contributor holds 88.2% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~62 days

Recently: every ~20 days

Total

17

Last Release

53d ago

Major Versions

11.0.1 → 12.0.32023-11-15

11.0.2 → 13.0.02025-02-11

13.0.1 → 14.0.02026-02-22

12.1.0 → 13.1.12026-05-11

13.1.1 → 14.1.12026-05-11

### Community

Maintainers

![](https://www.gravatar.com/avatar/a944bb90af783b13d74049f2d8adcff598f4e7cb0aad9d7040a6af0bb8c23984?d=identicon)[svewap](/maintainers/svewap)

---

Top Contributors

[![svewap](https://avatars.githubusercontent.com/u/1734738?v=4)](https://github.com/svewap "svewap (30 commits)")[![georgringer](https://avatars.githubusercontent.com/u/1905663?v=4)](https://github.com/georgringer "georgringer (2 commits)")[![Mabahe](https://avatars.githubusercontent.com/u/1684986?v=4)](https://github.com/Mabahe "Mabahe (2 commits)")

---

Tags

backendlogintypo3typo3-cms-extensionextensionloginbackendmultisitetypo3cross-domain

### Embed Badge

![Health badge](/badges/wapplersystems-multisite-belogin/health.svg)

```
[![Health](https://phpackages.com/badges/wapplersystems-multisite-belogin/health.svg)](https://phpackages.com/packages/wapplersystems-multisite-belogin)
```

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
