Steps to reproduce the issue

• Install Joomla 3.10.6

• Set your session timeout to 1 minute

• Create a secondary user, let's call it joomlalala

• Log into the site's frontend with joomlalala checking the Remember Me setting

• Close the browser and wait for one minut

• Log into the backend of the site with your primary Super User account

• Update to Joomla 3.10.7

• Go to the frontend of the site

• You are logged into the site with joomlalala using cookie authentication (Remember Me).

• Log out of the site

• Try to log back into the site with user joomlalala using a password

Expected result

You are logged into the site

Actual result

You are NOT logged into the site

System information (as much as possible)

Completely irrelevant.

Additional comments

You are blindly setting the user's authProvider field to whatever the login method's type is, without checking if it corresponds to an existing plugin in the authentication group or it's a placeholder or if it's even a secondary authentication method, like the cookie authentication!

You are then using that to lock the user to that non-existent or secondary authentication plugin which means that the user can no longer log in. Since the cookie was destroyed when the user logged out they can never log into the site again.

Related issue on Joomla 4: #37411