docs(config): clarify remember_login_cookie_lifetime behavior and scope

[joshtrichards]

• Resolves: #

Summary

🧹 of the remember_login_cookie_lifetime config entry description.

Related PR: #58794

TODO

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI (if applicable)

• The content of this PR was partly or fully generated using AI

[come-nc]

Clearing the cookie in the browser? How could that not log you out?

I feel like you dived into the rememberme effects and know more than me, but what I’m reading in these two PR is confusing 🙈

[joshtrichards]

I went back and forth on how to document this. I wanted to leave out server-side implementation details since the audience is meant to be more admin-oriented, but I also wanted to keep it honest just in case there were some weird side effects that might impact admin-level troubleshooting. Clearing the cookies from the browser will effectively result in clearing things, but - technically - the server-side storage of the remember-me session token will still stick around until the server-side piece happens:

server/lib/private/Authentication/Token/PublicKeyTokenProvider.php

Lines 266 to 282 in 92cf64f

	public function invalidateOldTokens() {
	$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24);
	$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
	$this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER);
	$rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
	$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
	$this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER);
	$wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60);
	$this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']);
	$this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN);
	$authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365);
	$this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']);
	$this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN);
	}

It's probably such a subtle bit we could leave it out and assume there won't be any troubleshooting side effects for admins. I can't really think of any, unless - well, they clear their cookies then attempt to put them back in their browser or something and then wonder why they still work... ;-) Edit: And anyone that pokes around the database.