remember me doesn't remember me :)

Hi!

the "remember me" function doesn't seem to work. i have to login several times in a day even if i don't close my graphical session.

Hi arpinux,
Bug confirmed!

Authentication — "Remember Me" Not Persisting Across Idle Periods

Reported by arpinux.

• Fixed session destroyed after 1 hour even with "Remember Me" checked — Session::handleTimeouts() unconditionally enforced IDLE_TIMEOUT = 3600 s and MAX_LIFETIME = 86400 s on every request, destroying the server-side session data regardless of whether the user had chosen to be remembered. The 30-day browser cookie survived, but the session it referenced was already gone, forcing a new login. Fixed by storing a _remember_me flag in the session at login time and skipping both timeout checks when that flag is present; last_activity is still updated normally. Affects app/Core/Session.php and app/Controllers/Auth/LoginController.php.

• Fixed "Remember Me" cookie silently downgraded to session-only after 30 minutes — Session::regenerate() calls session_regenerate_id(), which automatically sends a new Set-Cookie header using the configured cookie_lifetime = 0, overwriting the persistent 30-day cookie with a session-only one. After the first regeneration cycle the browser lost its persistent cookie. Fixed by calling the new private method Session::extendRememberMeCookie() immediately after session_regenerate_id() when _remember_me is set, re-sending the cookie with a fresh 30-day expiry. Affects app/Core/Session.php.

• Fixed PHP session garbage collector deleting "Remember Me" session files after 24 hours — session.gc_maxlifetime was set to MAX_LIFETIME = 86400 s (24 h), allowing PHP's GC to physically delete session files after a day of inactivity even for persistent sessions. Changed to REMEMBER_ME_LIFETIME = 2592000 s (30 days) so session files are retained long enough for the browser cookie to still find a valid server-side session. Affects app/Core/Session.php.

• Fixed _remember_me flag never stored in session — LoginController::login() and LoginController::verify2FA() set the 30-day session cookie but never wrote the corresponding flag into $_SESSION, so the fixes above had no entry point. Both methods now call Session::set('_remember_me', true) before issuing the persistent cookie. Affects app/Controllers/Auth/LoginController.php.