nextcloud · joshtrichards · Mar 8, 2026 · Mar 8, 2026 · come-nc · Mar 9, 2026
@@ -334,10 +334,19 @@
 	 */
 
 	/**
-	 * Lifetime of the remember login cookie. This should be larger than the
-	 * session_lifetime. If it is set to 0, remember me is disabled.
+	 * Lifetime of logins where the user selected "Remember me", in seconds.
 	 *
-	 * Defaults to ``60*60*24*15`` seconds (15 days)
+	 * A value >``0`` means "Remember me" is available.
+	 * To make "Remember me" unavailable to users, set to ``0``.
+	 *
+	 * To avoid unexpected expiry, set this higher than ``session_lifetime``.
+	 *
+	 * Despite the key name, this value applies to the full remember-me mechanism:
+	 * persisted login state in the browser (remember-login cookies) and server-side
+	 * expiration of remembered login tokens. Therefore, changing or clearing cookies
+	 * alone may not fully reset remembered login state.
 public function invalidateOldTokens() { 
 	$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24); 
 	$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']); 
 	$this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER); 
 	$rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); 
 	$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']); 
 	$this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER); 
 	$wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60); 
 	$this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']); 
 	$this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN); 
 	$authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365); 
 	$this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']); 
 	$this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN); 
 } 
 public function invalidateOldTokens() { 
 	$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24); 
 	$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']); 
 	$this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER); 
  
 	$rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); 
 	$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']); 
 	$this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER); 
  
 	$wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60); 
 	$this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']); 
 	$this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN); 
  
 	$authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365); 
 	$this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']); 
 	$this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN); 
 } 
+	 *
+	 * Defaults to ``60*60*24*15`` seconds (15 days).
 	 */
 	'remember_login_cookie_lifetime' => 60 * 60 * 24 * 15,