Think about it - your assumptions can not be correct - otherwise everyone in the world who is using the same browser as me is logged in to any site that I am logged in to automatically. Clearly that doesnt happen

You are correct, I made a horrible mistake when understanding how remember me works. I will debug again and search for the source of this error. The error still exists, I am running a huge joomla installation and estimated once a day you are logged out altough "remember me" has been checked, and there is a valid cookie.

I am closing this at this time. Please create a new issue when you determine the cause of your issue

Can you set up the debug plugin so it logs the warnings for the security group? The cookie plugin should trigger log messages if something goes wrong and this could give us a clue why it fails.

Personally I don't think it's due to same browsers. That one is only used to create the name of the cookie. It's a very simple and basic check, not even really security because anyone could guess the name and fake it.
It is used as the identifier together with the user id and the series string. So it shouldn't matter when there are multiple occurances of the same browser even of the same user. The identifier will still be different due to the unique series part.

I think there is one thing which can break the cookie. It is when the browser does some "prefetching" of the page, but doesn't update the cookie while doing so. The cookie contains a one-time token which gets replaced on each login. If the browser sends the valid cookie, but doesn't update the cookie with the new value, then the next real visit will be detected as an attack and all cookies of that user (on all machines) will be invalidated.

Exactly that is happening.

I debugged all variables within the cookie.php file, and came to the conclusion, that either the cookie value or the token in #_user_keys is not updated. When checking password_verify($key,$token) I get false and all the keys of that user get invalidated (the comment on that line tells, that there is an attack).

On my site, this happens thousands of times daily.

What exactly do you mean by prefetching? Do you know, how to get key/token correctly updated?

With prefetching I mean that a browser (or an addon in the browser) may make a request to the site before you actually visit it. I could imagine that happens for example when a browseraddon shows screenshots of the favorite pages. For this it may do the request and take a snapshot which triggers the remember-me plugin, but the addon probably does not change the cookie value as requested by the page. Just an idea.

When you visit the page regular, this is what happens with the cookie authentication:

• The cookie is read. The name of that cookie is based on the browser UA string. But that doesn't matter much.
• The value of the cookie consists of two parts, separated by a dot. First part is the token, second part the series. If the value doesn't contain those two parts, the cookie is rejected and deleted. Nothing bad happens other than that.
• Next we clean the database of expired tokens and then try to find the matching record based on the unique series and the UA string (aka cookie name).
• If that returns more than the expected single match, we destroy the cookie and refuse to authenticate. Something went wrong in the database as that should never happen. Time will solve this automatically as soon as the lifetime of the cookie runs out or the user logs our manually.
• Assuming we only got one row back, we now have retrieved the (hashed) token and the userid. Now we are going to compare the token from the cookie with the one stored in the database. If that doesn't match, it either means the token was used twice or it was guessed. We are going to assume an attack an invalidate each stored token for that user and destroy the cookie in the browser.
• If all went well so far, we have authenticated the user and allow him to log in.

After the login was performed successful, the cookie plugin gets active again and will

• Create a new random token
• Set a new value for the cookie with the new token and the old series.
• Update the database with the new hashed token.

After the user logs out using the logout button, the plugin again gets active and will

• Delete all (should in normal cases be only one) tokens for the current series and deletes the cookie. Which means the remember me feature will be cleared for the current browser.

Imho, it should work fine as long as the browser behaves and updates the cookie correctly.