+ /**
+ * Get a cookie. Contains an auth-specific hack.
+ * @param \WebRequest $request
+ * @param string $key
+ * @param string $prefix
+ * @param mixed $default
+ * @return mixed
+ */
+ protected function getCookie( $request, $key, $prefix, $default = null ) {
+ $value = $request->getCookie( $key, $prefix, $default );
+ if ( $value === 'deleted' ) {
+ // PHP uses this value when deleting cookies. A legitimate cookie will never have
+ // this value (usernames start with uppercase, token is longer, other auth cookies
+ // are booleans or integers). Seeing this means that in a previous request we told the
+ // client to delete the cookie, but it has poor cookie handling. Pretend the cookie is
+ // not there to avoid invalidating the session.
+ return null;
+ }
+ return $value;
+ }
+