From 13a2c7e6aa8c8a0068696c5a5d4bdbaead0a6114 Mon Sep 17 00:00:00 2001 From: Josh Date: Sun, 8 Mar 2026 13:28:03 -0400 Subject: [PATCH 1/2] docs(config): clarify `remember_login_cookie_lifetime` behavior and scope Signed-off-by: Josh --- config/config.sample.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/config/config.sample.php b/config/config.sample.php index bad9aa86d8b65..ff0401e29f602 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -334,10 +334,18 @@ */ /** - * Lifetime of the remember login cookie. This should be larger than the - * session_lifetime. If it is set to 0, remember me is disabled. + * "Remember me" lifetime in seconds. * - * Defaults to ``60*60*24*15`` seconds (15 days) + * To avoid unexpected expiry, set this higher than ``session_lifetime``. + * + * Despite the key name, this value applies to the whole remember-me mechanism: + * persisted login state in the browser (remember-login cookies) and server-side + * expiration of remembered login tokens. Therefore, changing or clearing cookies + * alone may not fully reset remembered login state. + * + * To disable "Remember me" outright, set to ``0``. + * + * Defaults to ``60*60*24*15`` seconds (15 days). */ 'remember_login_cookie_lifetime' => 60 * 60 * 24 * 15, From a43384a9fcdf8299c6e528c3078a8693ec327118 Mon Sep 17 00:00:00 2001 From: Josh Date: Sun, 8 Mar 2026 13:45:11 -0400 Subject: [PATCH 2/2] chore(config): further revise remember_login_cookie_lifetime entry Signed-off-by: Josh --- config/config.sample.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/config/config.sample.php b/config/config.sample.php index ff0401e29f602..2de2f4a920a24 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -334,17 +334,18 @@ */ /** - * "Remember me" lifetime in seconds. + * Lifetime of logins where the user selected "Remember me", in seconds. + * + * A value >``0`` means "Remember me" is available. + * To make "Remember me" unavailable to users, set to ``0``. * * To avoid unexpected expiry, set this higher than ``session_lifetime``. * - * Despite the key name, this value applies to the whole remember-me mechanism: + * Despite the key name, this value applies to the full remember-me mechanism: * persisted login state in the browser (remember-login cookies) and server-side * expiration of remembered login tokens. Therefore, changing or clearing cookies * alone may not fully reset remembered login state. * - * To disable "Remember me" outright, set to ``0``. - * * Defaults to ``60*60*24*15`` seconds (15 days). */ 'remember_login_cookie_lifetime' => 60 * 60 * 24 * 15,