Since version 12.146.268, users can click on the "Remember Me" checkbox in the sign in screen so that their credentials are remembered for a number of days (30 by default). This feature is available for users authenticating with basic authentication (username/password) and LDAP authentication. It's not available for SAML authentication.
This document explains:
- How remember me works
- Disabling remember me
- Changing the number of days the credentials are remembered
- Setting the
TPM_REMcookie secure (v. 13.166.291+)
How remember me works
The Sign in screen presents a checkbox with the "Remember me" label. If the user clicks on the checkbox, her credentials will be remembered, and the next time she wants to use Team Password Manager she won't have to enter them:
The credentials of the user are remembered for 30 days by default, or until the user logs out. Note that if the auto-logout feature is activated, when the user is automatically logged out, her credentials will also be forgotten.
The user credentials will be remembered even if the session expires or the browser is closed.
In addition to the user credentials, if two-factor authentication is enabled for the user, the remember me feature won't ask the user for the two-factor authentication code after the first login.
Disabling remember me
The remember me feature can be disabled with the following parameter in config.php:
define('LOGIN_REMEMBER_DAYS', 0);
Changing the number of days the credentials are remembered
By default the user credentials are remembered for 30 days. This number of days can be changed with the following parameter in config.php:
define('LOGIN_REMEMBER_DAYS', XX);
Where XX is a number between 1 and 90 (defaults to 30). So, there's a minimum of 1 day and a maximum of 90. Note that if XX is 0, the remember me feature is disabled.
Reference to LOGIN_REMEMBER_DAYS
Setting the TPM_REM cookie secure (v. 13.166.291+)
The "Remember me" feature works by using a cookie stored in the user's browser, which stores a token to keep the user logged in. This cookie is called TPM_REM.
Before v. 13.166.291, we hardcoded this cookie as secure, but this caused issues in some high-availability setups. In v. 13.166.291 we no longer hardcode this cookie as secure, which means that if you want it secure, you should configure it in your installation.
Here's an example for Apache on how to secure the TPM_REM cookie. Add the following line to your VirtualHost entry (after SSLEngine on):
Header edit Set-Cookie "(?i)^(TPM_REM=.*)$" "$1; Secure"
Ensure the Header module is enabled and restart Apache for this to work.
Document changelog
| Dec 19, 2024: | How to secure the TPM_REM cookie for v. 13.166.291+ |
| Jul 12, 2023: | Document created |
