I have clients calling me nonstop about this bug and this is the forum post that comes up in Google trying to track this down.
It's documented in Trac:
and over at github
Basically there is a typo in Member where the RememberLoginToken is updated correctly for that member on auto login, but the old token is written to the cookie again (the cookie value remains unchanged).
The fix has been in place in trunk for 2 months (!) so I guess it's going to make it's way into 2.4.6 when it's released. If you can't wait that long then here is the patch:
=== modified file 'sapphire/security/Member.php'
--- sapphire/security/Member.php 2011-05-10 06:57:10 +0000
+++ sapphire/security/Member.php 2011-07-27 07:53:57 +0000
@@ -399,7 +399,7 @@
$generator = new RandomGenerator();
$member->RememberLoginToken = $generator->generateHash('sha1');
- Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, false, true);
+ Cookie::set('alc_enc', $member->ID . ':' . $member->RememberLoginToken, 90, null, null, false, true);
Hopefully this will help those like me who track this down via Google.