NOTE
In 3.7.1, we'll be shipping a workaround that makes the remember-me problem less likely to occur. This workaround will however not completely eliminate all remember-me problems.
A real fix for the problem (a rewrite of the remember-me functionality) is expected to ship in 3.8.0.

A race condition has been discovered in remember-me authentication where two parallel HTTP requests provide the same remember-me cookie to Stash.

The first request authenticates successfully and a new remember-me token is generated and returned to the browser.

The second request attempts to authenticate using the -now stale- token and is rejected. Furthermore, Stash detects that it is a stale token and as a safety precaution against cookie theft attacks invalidates all remember-me tokens for the user, including the new cookie that was just returned.