I should note that if bots hit the login page, they will generate cookies. This has to occur in order for session data to be able to carry over. There is no workaround for this. We can only limit the cookie generation to specific pages

I'll test later.

Pretty sure this won't work though. In the scenario discussed, sa=login is never invoked. The non-modal form directly invokes login2.

Well, that can be fixed by updating the KickGuest() logic.

However, this will essentially negate the fixes for bot improvements on sessions for forums with guest access disabled.

There is no simple workaround for this.

We would have to change the kick guest to not issue the login template, but rather provide a simple direct link to the login page.

This also affects maintenance mode.

So this fix actually is tackling 3 parts

First part is the login modal, in which I just ensure that when we hit action=login, we generate a cookie always. This can increase the abuse by bots, but there is no avoiding this. We need cookies to process a login. To avoid abuse of action=login, there is options in apache to do rate limiting that would be better than what we can in SMF.

The second fix is for the KickGuest action that occurs for guests who visit the forum, and guest access is disabled. If a cookie has not been set, it presents a link to the action=login. The action=login will set the cookie and allow them to proceed.

The last part is for InMaintenance, which is set when the forum is in Maintenance mode. This is similar to KickGuest, but with a side effect that even in maintenance mode, we don't truly run the login action. So if a cookie is still not present, they will just get the same page. I don't think its worth it in maintenance mode to run logic to figure out that out and provide any help.

A couple notes -

• To the best of my knowledge, the issue has nothing to do with cookie creation. Extra cookies aren't the problem. Physical DB writes to the session cause issues, not cookies. In fact, the problem is almost the opposite: a couple of forums are not getting a new PHP cookie after the session is destroyed upon logout. The lack of the new PHP cookie with a fresh session ID for some folks is the issue.
• PHP creates that cookie, not SMF.

Ideally, we'd find why those folks aren't getting new PHP session cookies upon logout. What is different about their config that is causing that.