CVE-2025-6926
This is a workaround for extensions with some sort of "autologin"
implemented via the login page to indicate that the login flow
didn't involve the user actually logging in, it merely copied
some central login state, and so isn't appropriate for the
reauthentication flag.
This isn't the best way to provide an interface to extensions
(if we keep it, a more explicit interface, such as a
SessionPropertiesAuthenticationRequest object that's part of
the initial request set and can be modified by providers,
and can also be used for the "remember me" flag, would be
nicer), and maybe the whole approach of letting extensions
suppress the reauthentication flag is not the best way of
handling the problem in the first place, but it's simple
which is important for a security patch.
Bug: T389010
Change-Id: Ifce73837b25b0caad2d3d3cba000cceb0184c29d
b1adf3c728