I find that banned users trying to visit my forum (running phpBB 3.0.12) cause infinite recursion, causing the page to crash (after having consumed many a CPU second). The recursion loop looks as follows:

session_begin at session.php:476
session_create at session.php:657
check_ban at session.php:1188
session_kill at session.php:933
session_create at session.php:657
check_ban at session.php:1188
session_kill at session.php:933
...

I suspect the cause of this is that the return value of the auth module's autologin function overrides the wish of session_kill() to create an ANONYMOUS session.

As long as the contract of the autologin function as described at <https://wiki.phpbb.com/Authentication_plugins#autologin_method> is to be considered reasonably correct, this seems like a bug, no? No particular particular behavior seems to be described at that page that the autologin function should implement to ensure that bans work correctly.