Part 2 of this answer explains it fairly well: https://stackoverflow.com/a/477578 Also, this was a nice read: https://web.archive.org/web/20180819014446/http://jaspan.com/improved_persistent_login_cookie_best_practice
It depends on your threat model, but the use of public computers in libraries, internet cafés or similar is probably the most relevant here, when arguing against activating "remember me". These days, shared computer use is declining I'd assume. With twtxt being a niche for more computer-affine folks, I'd reckon this threat is not that high up the list. On the hand, you want to bring yarnd to the average non-nerd user, so this threat might actually rank more important.
It's probably okay and safe enough to remove "remember me" entirely and just issue a long-lived session cookie and be done with that. Optionally, power users or the administrator could benefit from configurable cookie lifetime(s).
> I’d rather suggest to enable the checkbox by default
I'm no longer sure between the discussion(s) how this should behave or look like now 🤣
> I’d rather suggest to enable the checkbox by default
I'm no longer sure between the discussion(s) how this should behave or look like now 🤣
Username: _<focused field>____
Password: ____________________
[x] Remember me (Enabling this feature will keep
you logged in, even after closing your browser.
Do not active this setting on shared devices.)
[Login]
The "remember me" checkbox could be already activated by default. This would benefit people like @bender.
An alternative would be to make the session lifetime configurable in the user profile. So bender would then set this to forty-two years. :-) Definitely something for power users who know what they're doing. More dangerous for the average Joe, though.