From 342c05e673d51f40f7f8b65e01368c42b9bad1e1 Mon Sep 17 00:00:00 2001
From: Michael Wilson <michael_wilson@sil.org>
Date: Wed, 9 Oct 2024 13:36:40 +0930
Subject: [PATCH] fix updateUserLastLogin is called regardless of the value of
 isValid.

---
 modules/mfa/src/Auth/Process/Mfa.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/modules/mfa/src/Auth/Process/Mfa.php b/modules/mfa/src/Auth/Process/Mfa.php
index fc7fa607..2c73905b 100644
--- a/modules/mfa/src/Auth/Process/Mfa.php
+++ b/modules/mfa/src/Auth/Process/Mfa.php
@@ -700,9 +700,11 @@ public static function isRememberMeCookieValid(
             if ((int)$expireDate > time()) {
                 $expectedString = self::generateRememberMeCookieString($rememberSecret, $state['employeeId'], $expireDate, $mfaOptions);
                 $isValid = password_verify($expectedString, $cookieHash);
-
-                $idBrokerClient = self::getIdBrokerClient($state['idBrokerConfig']);
-                $idBrokerClient->updateUserLastLogin($state['employeeId']);
+                
+                if ($isValid) {
+                    $idBrokerClient = self::getIdBrokerClient($state['idBrokerConfig']);
+                    $idBrokerClient->updateUserLastLogin($state['employeeId']);
+                }
 
                 return $isValid;
             }