Fix #11031, 10930: fix anonymous user auto-login

The original issue with 10930 was that user verification, when checking
to see if a user was logged in, would trigger automatic login of the
anonymous user account, which would lead to a redirect loop, where each
page load would auto-login the anonymous user and immediately log them
out and redirect.

The original fix for this disabled auto-login of the anonymous user
account when calling auth_is_user_authenticated(), which broke
expectations of much of the codebase.  By re-enabling auto-login, but
offering optional bypass of this process, it fixes both issues.

Any page expecting to correctly work with unauthenticated users will
need to pass a False parameter to the function to bypass automatic
anonymous login.

core/authentication_api.php

@@ -85,15 +85,16 @@ function auth_ensure_user_authenticated( $p_return_page = '' ) {
 /**
  * Return true if there is a currently logged in and authenticated user, false otherwise
  *
+ * @param boolean auto-login anonymous user
  * @return bool
  * @access public
  */
-function auth_is_user_authenticated() {
+function auth_is_user_authenticated( $p_login_anonymous=true ) {
 	global $g_cache_cookie_valid;
 	if( $g_cache_cookie_valid == true ) {
 		return $g_cache_cookie_valid;
 	}
-	$g_cache_cookie_valid = auth_is_cookie_valid( auth_get_current_user_cookie( false ) );
+	$g_cache_cookie_valid = auth_is_cookie_valid( auth_get_current_user_cookie( $p_login_anonymous ) );
 	return $g_cache_cookie_valid;
 }
 

verify.php

@@ -37,7 +37,7 @@
 	$f_confirm_hash = gpc_get_string('confirm_hash');
 
 	# force logout on the current user if already authenticated
-	if( auth_is_user_authenticated() ) {
+	if( auth_is_user_authenticated( false ) ) {
 		auth_logout();
 
 		# reload the page after logout