What is a 'remember me' token vulnerability when the token is derived from the username and a static salt?