unless ( $class->valid_password($username, $password, $r)) {
        unset_cookie($r);
        return login_form($r);
    }