From 498e124bad576006685b3a89068ab5727803bbc8 Mon Sep 17 00:00:00 2001
From: jdarwood007 <unmonitored+github@sleepycode.com>
Date: Sun, 22 Mar 2026 06:23:36 -0700
Subject: [PATCH 1/9] [2.1] Ensure we set the cookie when presenting the login
 form

Fixes #9158
---
 Sources/LogInOut.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Sources/LogInOut.php b/Sources/LogInOut.php
index 93946ec1c0..eb1f398f98 100644
--- a/Sources/LogInOut.php
+++ b/Sources/LogInOut.php
@@ -82,6 +82,11 @@ function Login()
 		'name' => $txt['login'],
 	);
 
+	// Ensure the session data persists.
+	if (empty($_COOKIE)) {
+		setLoginCookie(60 * $modSettings['cookieTime'], 0, '');
+	}
+
 	// Set the login URL - will be used when the login process is done (but careful not to send us to an attachment).
 	if (isset($_SESSION['old_url']) && strpos($_SESSION['old_url'], 'dlattach') === false && preg_match('~(board|topic)[=,]~', $_SESSION['old_url']) != 0)
 		$_SESSION['login_url'] = $_SESSION['old_url'];

From c7f1002c69df7a83c5d1fd693666a8bd75ba9809 Mon Sep 17 00:00:00 2001
From: jdarwood007 <unmonitored+github@sleepycode.com>
Date: Sun, 22 Mar 2026 06:50:31 -0700
Subject: [PATCH 2/9] Cookies need to be set if we are kicking guests

---
 Sources/Subs-Auth.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Sources/Subs-Auth.php b/Sources/Subs-Auth.php
index e0d44f25b4..7e02e1b86f 100644
--- a/Sources/Subs-Auth.php
+++ b/Sources/Subs-Auth.php
@@ -210,11 +210,14 @@ function url_parts($local, $global)
  */
 function KickGuest()
 {
-	global $txt, $context;
+	global $txt, $context, $modSettings;
 
 	loadTheme();
 	loadLanguage('Login');
 	loadTemplate('Login');
+	if (empty($_COOKIE)) {
+		setLoginCookie(60 * $modSettings['cookieTime'], 0, '');
+	}
 	createToken('login');
 
 	// Never redirect to an attachment

From 448d8818c08d8bce274fe9812b70fcf14f74dabf Mon Sep 17 00:00:00 2001
From: jdarwood007 <unmonitored+github@sleepycode.com>
Date: Sun, 22 Mar 2026 06:53:39 -0700
Subject: [PATCH 3/9] Need cookies to login even in maintenance mode.

---
 Sources/Subs-Auth.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Sources/Subs-Auth.php b/Sources/Subs-Auth.php
index 7e02e1b86f..6991a1a72a 100644
--- a/Sources/Subs-Auth.php
+++ b/Sources/Subs-Auth.php
@@ -239,6 +239,9 @@ function InMaintenance()
 
 	loadLanguage('Login');
 	loadTemplate('Login');
+	if (empty($_COOKIE)) {
+		setLoginCookie(60 * $modSettings['cookieTime'], 0, '');
+	}
 	createToken('login');
 
 	// Send a 503 header, so search engines don't bother indexing while we're in maintenance mode.

From 7e0dc2324ee4174ec2211d0400ebb1843c9d94c0 Mon Sep 17 00:00:00 2001
From: jdarwood007 <unmonitored+github@sleepycode.com>
Date: Sun, 22 Mar 2026 06:55:08 -0700
Subject: [PATCH 4/9] Missed a global

---
 Sources/Subs-Auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Sources/Subs-Auth.php b/Sources/Subs-Auth.php
index 6991a1a72a..d9950238a1 100644
--- a/Sources/Subs-Auth.php
+++ b/Sources/Subs-Auth.php
@@ -235,7 +235,7 @@ function KickGuest()
  */
 function InMaintenance()
 {
-	global $txt, $mtitle, $mmessage, $context, $smcFunc;
+	global $txt, $mtitle, $mmessage, $context, $smcFunc, $modSettings;
 
 	loadLanguage('Login');
 	loadTemplate('Login');

From 198791f5fdbac0ffa945192ada353ff4e2fd332b Mon Sep 17 00:00:00 2001
From: jdarwood007 <unmonitored+github@sleepycode.com>
Date: Sun, 22 Mar 2026 07:32:42 -0700
Subject: [PATCH 5/9] To avoid creating cookies, use a different template

---
 Sources/Subs-Auth.php             | 14 +++-----
 Themes/default/Login.template.php | 53 +++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 10 deletions(-)

diff --git a/Sources/Subs-Auth.php b/Sources/Subs-Auth.php
index d9950238a1..b0029d950d 100644
--- a/Sources/Subs-Auth.php
+++ b/Sources/Subs-Auth.php
@@ -210,21 +210,18 @@ function url_parts($local, $global)
  */
 function KickGuest()
 {
-	global $txt, $context, $modSettings;
+	global $txt, $context;
 
 	loadTheme();
 	loadLanguage('Login');
 	loadTemplate('Login');
-	if (empty($_COOKIE)) {
-		setLoginCookie(60 * $modSettings['cookieTime'], 0, '');
-	}
 	createToken('login');
 
 	// Never redirect to an attachment
 	if (strpos($_SERVER['REQUEST_URL'], 'dlattach') === false)
 		$_SESSION['login_url'] = $_SERVER['REQUEST_URL'];
 
-	$context['sub_template'] = 'kick_guest';
+	$context['sub_template'] = 'kick_guest' . (empty($_COOKIE) ? '_cookieless' : '');
 	$context['page_title'] = $txt['login'];
 }
 
@@ -235,20 +232,17 @@ function KickGuest()
  */
 function InMaintenance()
 {
-	global $txt, $mtitle, $mmessage, $context, $smcFunc, $modSettings;
+	global $txt, $mtitle, $mmessage, $context, $smcFunc;
 
 	loadLanguage('Login');
 	loadTemplate('Login');
-	if (empty($_COOKIE)) {
-		setLoginCookie(60 * $modSettings['cookieTime'], 0, '');
-	}
 	createToken('login');
 
 	// Send a 503 header, so search engines don't bother indexing while we're in maintenance mode.
 	send_http_status(503, 'Service Temporarily Unavailable');
 
 	// Basic template stuff..
-	$context['sub_template'] = 'maintenance';
+	$context['sub_template'] = 'maintenance' . (empty($_COOKIE) ? '_cookieless' : '');
 	$context['title'] = $smcFunc['htmlspecialchars']($mtitle);
 	$context['description'] = &$mmessage;
 	$context['page_title'] = $txt['maintain_mode'];
diff --git a/Themes/default/Login.template.php b/Themes/default/Login.template.php
index dd0e2d4c41..c2bc646da2 100644
--- a/Themes/default/Login.template.php
+++ b/Themes/default/Login.template.php
@@ -350,6 +350,32 @@ function template_kick_guest()
 	</script>';
 }
 
+/**
+ * Tell a guest to get lost or login, Now without cookies!
+ */
+function template_kick_guest_cookieless()
+{
+	global $txt, $context, $scripturl;
+
+	// This isn't that much... just like normal login but with a message at the top.
+	echo '
+	<div class="login">
+		<div class="cat_bar">
+			<h3 class="catbg">', $txt['warning'], '</h3>
+		</div>';
+
+	// Show the message or default message.
+	echo '
+		<p class="information centertext">
+			', empty($context['kick_message']) ? $txt['only_members_can_access'] : $context['kick_message'], '<br>';
+
+	echo sprintf($txt[$context['can_register'] ? 'welcome_guest_register' : 'welcome_guest'], $context['forum_name_html_safe'], $scripturl . '?action=login', '', $scripturl . '?action=signup');
+
+	echo '
+		</p>
+	</div>';
+}
+
 /**
  * This is for maintenance mode.
  */
@@ -398,6 +424,33 @@ function template_maintenance()
 	</form>';
 }
 
+/**
+ * This is for maintenance mode, but you don't have a cookie.
+ */
+function template_maintenance_cookieless()
+{
+	global $context, $settings, $txt, $scripturl;
+
+	// Display the administrator's message at the top.
+	echo '
+		<div class="login" id="maintenance_mode">
+			<div class="cat_bar">
+				<h3 class="catbg">', $context['title'], '</h3>
+			</div>
+			<div class="information">
+				<img class="floatleft" src="', $settings['images_url'], '/construction.png" width="40" height="40" alt="', $txt['in_maintain_mode'], '">
+				', $context['description'], '<br class="clear">
+			</div>
+			<div class="title_bar">
+				<h4 class="titlebg">', $txt['admin_login'], '</h4>
+			</div>
+			<div class="roundframe">
+				<p>
+					<a href="', $scripturl . '?action=login">', $txt['login'], '</a>
+			</div>
+		</div><!-- #maintenance_mode -->';
+}
+
 /**
  * This is for the security stuff - makes administrators login every so often.
  */

From 0572818a773059f2327410446219573b208caf83 Mon Sep 17 00:00:00 2001
From: jdarwood007 <unmonitored+github@sleepycode.com>
Date: Sun, 22 Mar 2026 07:45:53 -0700
Subject: [PATCH 6/9] Improved bot abuse on KickGuest and InMaintenance

---
 Sources/LogInOut.php  |  2 +-
 Sources/Subs-Auth.php | 20 ++++++++++++++++----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/Sources/LogInOut.php b/Sources/LogInOut.php
index eb1f398f98..a6cd494c52 100644
--- a/Sources/LogInOut.php
+++ b/Sources/LogInOut.php
@@ -27,7 +27,7 @@
  */
 function Login()
 {
-	global $txt, $context, $scripturl, $user_info;
+	global $txt, $context, $scripturl, $user_info, $modSettings;
 
 	// You are already logged in, go take a tour of the boards
 	if (!empty($user_info['id']))
diff --git a/Sources/Subs-Auth.php b/Sources/Subs-Auth.php
index b0029d950d..30b030dc45 100644
--- a/Sources/Subs-Auth.php
+++ b/Sources/Subs-Auth.php
@@ -215,13 +215,19 @@ function KickGuest()
 	loadTheme();
 	loadLanguage('Login');
 	loadTemplate('Login');
-	createToken('login');
 
 	// Never redirect to an attachment
 	if (strpos($_SERVER['REQUEST_URL'], 'dlattach') === false)
 		$_SESSION['login_url'] = $_SERVER['REQUEST_URL'];
 
-	$context['sub_template'] = 'kick_guest' . (empty($_COOKIE) ? '_cookieless' : '');
+	// If you don't have any cookies to ofer us, we wont waste resources creating a login page.
+	if (empty($_COOKIE)) {
+		$context['sub_template'] = 'kick_guest_cookieless';
+	} else {
+		createToken('login');
+		$context['sub_template'] = 'kick_guest';
+	}
+
 	$context['page_title'] = $txt['login'];
 }
 
@@ -236,13 +242,19 @@ function InMaintenance()
 
 	loadLanguage('Login');
 	loadTemplate('Login');
-	createToken('login');
 
 	// Send a 503 header, so search engines don't bother indexing while we're in maintenance mode.
 	send_http_status(503, 'Service Temporarily Unavailable');
 
+	// Admins need cookies.
+	if (empty($_COOKIE)) {
+		$context['sub_template'] = 'maintenance_cookieless';
+	} else {
+		createToken('login');
+		$context['sub_template'] = 'maintenance';
+	}
+
 	// Basic template stuff..
-	$context['sub_template'] = 'maintenance' . (empty($_COOKIE) ? '_cookieless' : '');
 	$context['title'] = $smcFunc['htmlspecialchars']($mtitle);
 	$context['description'] = &$mmessage;
 	$context['page_title'] = $txt['maintain_mode'];

From 2e1444f6be029c051e60e7dea2df0628ff224170 Mon Sep 17 00:00:00 2001
From: jdarwood007 <unmonitored+github@sleepycode.com>
Date: Mon, 23 Mar 2026 16:28:35 -0700
Subject: [PATCH 7/9] Reverted changes

---
 Sources/LogInOut.php              |  2 +-
 Sources/Subs-Auth.php             | 28 +++++++---------
 Themes/default/Login.template.php | 53 -------------------------------
 3 files changed, 12 insertions(+), 71 deletions(-)

diff --git a/Sources/LogInOut.php b/Sources/LogInOut.php
index a6cd494c52..eb1f398f98 100644
--- a/Sources/LogInOut.php
+++ b/Sources/LogInOut.php
@@ -27,7 +27,7 @@
  */
 function Login()
 {
-	global $txt, $context, $scripturl, $user_info, $modSettings;
+	global $txt, $context, $scripturl, $user_info;
 
 	// You are already logged in, go take a tour of the boards
 	if (!empty($user_info['id']))
diff --git a/Sources/Subs-Auth.php b/Sources/Subs-Auth.php
index 30b030dc45..6991a1a72a 100644
--- a/Sources/Subs-Auth.php
+++ b/Sources/Subs-Auth.php
@@ -210,24 +210,21 @@ function url_parts($local, $global)
  */
 function KickGuest()
 {
-	global $txt, $context;
+	global $txt, $context, $modSettings;
 
 	loadTheme();
 	loadLanguage('Login');
 	loadTemplate('Login');
+	if (empty($_COOKIE)) {
+		setLoginCookie(60 * $modSettings['cookieTime'], 0, '');
+	}
+	createToken('login');
 
 	// Never redirect to an attachment
 	if (strpos($_SERVER['REQUEST_URL'], 'dlattach') === false)
 		$_SESSION['login_url'] = $_SERVER['REQUEST_URL'];
 
-	// If you don't have any cookies to ofer us, we wont waste resources creating a login page.
-	if (empty($_COOKIE)) {
-		$context['sub_template'] = 'kick_guest_cookieless';
-	} else {
-		createToken('login');
-		$context['sub_template'] = 'kick_guest';
-	}
-
+	$context['sub_template'] = 'kick_guest';
 	$context['page_title'] = $txt['login'];
 }
 
@@ -242,19 +239,16 @@ function InMaintenance()
 
 	loadLanguage('Login');
 	loadTemplate('Login');
+	if (empty($_COOKIE)) {
+		setLoginCookie(60 * $modSettings['cookieTime'], 0, '');
+	}
+	createToken('login');
 
 	// Send a 503 header, so search engines don't bother indexing while we're in maintenance mode.
 	send_http_status(503, 'Service Temporarily Unavailable');
 
-	// Admins need cookies.
-	if (empty($_COOKIE)) {
-		$context['sub_template'] = 'maintenance_cookieless';
-	} else {
-		createToken('login');
-		$context['sub_template'] = 'maintenance';
-	}
-
 	// Basic template stuff..
+	$context['sub_template'] = 'maintenance';
 	$context['title'] = $smcFunc['htmlspecialchars']($mtitle);
 	$context['description'] = &$mmessage;
 	$context['page_title'] = $txt['maintain_mode'];
diff --git a/Themes/default/Login.template.php b/Themes/default/Login.template.php
index c2bc646da2..dd0e2d4c41 100644
--- a/Themes/default/Login.template.php
+++ b/Themes/default/Login.template.php
@@ -350,32 +350,6 @@ function template_kick_guest()
 	</script>';
 }
 
-/**
- * Tell a guest to get lost or login, Now without cookies!
- */
-function template_kick_guest_cookieless()
-{
-	global $txt, $context, $scripturl;
-
-	// This isn't that much... just like normal login but with a message at the top.
-	echo '
-	<div class="login">
-		<div class="cat_bar">
-			<h3 class="catbg">', $txt['warning'], '</h3>
-		</div>';
-
-	// Show the message or default message.
-	echo '
-		<p class="information centertext">
-			', empty($context['kick_message']) ? $txt['only_members_can_access'] : $context['kick_message'], '<br>';
-
-	echo sprintf($txt[$context['can_register'] ? 'welcome_guest_register' : 'welcome_guest'], $context['forum_name_html_safe'], $scripturl . '?action=login', '', $scripturl . '?action=signup');
-
-	echo '
-		</p>
-	</div>';
-}
-
 /**
  * This is for maintenance mode.
  */
@@ -424,33 +398,6 @@ function template_maintenance()
 	</form>';
 }
 
-/**
- * This is for maintenance mode, but you don't have a cookie.
- */
-function template_maintenance_cookieless()
-{
-	global $context, $settings, $txt, $scripturl;
-
-	// Display the administrator's message at the top.
-	echo '
-		<div class="login" id="maintenance_mode">
-			<div class="cat_bar">
-				<h3 class="catbg">', $context['title'], '</h3>
-			</div>
-			<div class="information">
-				<img class="floatleft" src="', $settings['images_url'], '/construction.png" width="40" height="40" alt="', $txt['in_maintain_mode'], '">
-				', $context['description'], '<br class="clear">
-			</div>
-			<div class="title_bar">
-				<h4 class="titlebg">', $txt['admin_login'], '</h4>
-			</div>
-			<div class="roundframe">
-				<p>
-					<a href="', $scripturl . '?action=login">', $txt['login'], '</a>
-			</div>
-		</div><!-- #maintenance_mode -->';
-}
-
 /**
  * This is for the security stuff - makes administrators login every so often.
  */

From df08d17cc52d2c8e21c1e4a41c19ac7258dec8c6 Mon Sep 17 00:00:00 2001
From: jdarwood007 <unmonitored+github@sleepycode.com>
Date: Mon, 23 Mar 2026 16:30:15 -0700
Subject: [PATCH 8/9] Reverted too much, restore a commit

---
 Sources/Subs-Auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Sources/Subs-Auth.php b/Sources/Subs-Auth.php
index 6991a1a72a..d9950238a1 100644
--- a/Sources/Subs-Auth.php
+++ b/Sources/Subs-Auth.php
@@ -235,7 +235,7 @@ function KickGuest()
  */
 function InMaintenance()
 {
-	global $txt, $mtitle, $mmessage, $context, $smcFunc;
+	global $txt, $mtitle, $mmessage, $context, $smcFunc, $modSettings;
 
 	loadLanguage('Login');
 	loadTemplate('Login');

From 8619ae94bbc8768e41e8333b5c011ade3168d941 Mon Sep 17 00:00:00 2001
From: jdarwood007 <unmonitored+github@sleepycode.com>
Date: Wed, 25 Mar 2026 16:39:41 -0700
Subject: [PATCH 9/9] Another case of a failed session login

---
 Sources/LogInOut.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Sources/LogInOut.php b/Sources/LogInOut.php
index eb1f398f98..7b291d050c 100644
--- a/Sources/LogInOut.php
+++ b/Sources/LogInOut.php
@@ -268,6 +268,7 @@ function Login2()
 	// Cookies are required...
 	if (empty($_COOKIE))
 	{
+		setLoginCookie(60 * $modSettings['cookieTime'], 0, '');
 		$context['login_errors'] = array($txt['login_cookie_error']);
 		return;
 	}