From b1f449762b5d11658b11d5036d5ae361a95fd61e Mon Sep 17 00:00:00 2001
From: Daniel Hensby <dhensby@silverstripe.com>
Date: Mon, 25 Jul 2016 12:08:15 +0100
Subject: [PATCH] [SS-2016-014] FIX Autologin cookies are ignored if autologin
 is disabled

---
 security/Member.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/Member.php b/security/Member.php
index 7a80e1343..56fb060e8 100644
--- a/security/Member.php
+++ b/security/Member.php
@@ -484,7 +484,8 @@ class Member extends DataObject implements TemplateGlobalProvider {
 
 		$this->addVisit();
 
-		if($remember) {
+		// Only set the cookie if autologin is enabled
+		if($remember && Security::config()->autologin_enabled) {
 			// Store the hash and give the client the cookie with the token.
 			$generator = new RandomGenerator();
 			$token = $generator->randomToken('sha1');
@@ -567,7 +568,8 @@ class Member extends DataObject implements TemplateGlobalProvider {
 		// Don't bother trying this multiple times
 		self::$_already_tried_to_auto_log_in = true;
 
-		if(strpos(Cookie::get('alc_enc'), ':') === false
+		if(!Security::config()->autologin_enabled
+			|| strpos(Cookie::get('alc_enc'), ':') === false
 			|| Session::get("loggedInAs")
 			|| !Security::database_is_ready()
 		) {