From 891cef25112f39b0082be4b97f64c95e815b012f Mon Sep 17 00:00:00 2001
From: Marco <marco1@live.de>
Date: Thu, 19 Oct 2017 03:00:28 +0200
Subject: [PATCH] Do not make repeated attempts to use invalid 'remember me'
 cookies

---
 src/Auth.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/Auth.php b/src/Auth.php
index 8012e60..dd9e987 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -113,6 +113,9 @@ final class Auth extends UserManager {
 
 			// if a remember cookie is set
 			if (isset($_COOKIE[$this->rememberCookieName])) {
+				// assume the cookie and its contents to be invalid until proven otherwise
+				$valid = false;
+
 				// split the cookie's content into selector and token
 				$parts = \explode(self::COOKIE_CONTENT_SEPARATOR, $_COOKIE[$this->rememberCookieName], 2);
 
@@ -131,11 +134,20 @@ final class Auth extends UserManager {
 					if (!empty($rememberData)) {
 						if ($rememberData['expires'] >= \time()) {
 							if (\password_verify($parts[1], $rememberData['token'])) {
+								// the cookie and its contents have now been proven to be valid
+								$valid = true;
+
 								$this->onLoginSuccessful($rememberData['user'], $rememberData['email'], $rememberData['username'], $rememberData['status'], $rememberData['roles_mask'], true);
 							}
 						}
 					}
 				}
+
+				// if the cookie or its contents have been invalid
+				if (!$valid) {
+					// mark the cookie as such to prevent any further futile attempts
+					$this->setRememberCookie('', '', \time() + 60 * 60 * 24 * 365.25);
+				}
 			}
 		}
 	}