if I use the checkbox for remember me during login I should be remembered
next time I visit my page I have to login again
use the remeber me function during login, close the browser window without logging out, and go to you website again. You are not logged in anymore.
It doesn't matter which setting I do have in security setting (tested medium and low)
I compared the behavior of the cookie. In 1.4.2 the live time of the cookie is changing after login to the following:
But since 1.4.3 the behavior is different. Before I logged in the cookie is looking as follow:
Valid until end of the session. That is right. But after logging in it is unchanged. It doesn't matter if I have the setting in the security settings to low or middle. And it doesn't matter if I am checking the remeber me function at login or not.
next observation: The _zsid cookie is marked as Sitzungscookie (session cookie). If I uncheck "session cookie" and add another date in future I am still logged in when leaving the site an come back.
Next observation: I do have two similar sites one is my live site with URL mysite.tld and the other one is my testing site with the URL testing.mysite.tld.
For the testing site I already manually unchecked the session cookie but not for the live site. I now logged in into the live site and opend in another tab my testing site. I was not logged in into my testing site anymore automatically. I looked for the cookies and can see two _zsid cookies. The one from the live site was still a sessions cookie and the one for my testing site do have still the longer valid time.
My conclusion: Both sites choose the same cookie with session is disabled.
There is something mixed up with the session handling. Might be it is also the same root cause for the language setting cookie.
Just a guess in the wild: @rallek please check in the SecurityCenter config page which value the settings Garbage collection probability and Periodically regenerate session id have. Maybe try changing the second one to false and see if this makes a difference.
Garbage collection probability
Periodically regenerate session id
There is also a third setting probability of regeneration which may be relevant, too.
probability of regeneration
changed Periodically regenerate session id to false but with no effect to the problem.
We do not specify a cookie_lifetime anywhere in the core.
Gültig bis = Date of Expiry
Am Ende der Sitzung = At the end of the session
correct rememberme function. fixes #3290
finalize FC session storage closes #3329