Remember Me

Last updated: 04/17/2026 · Written by Agent0

Remember Me

The Remember Me feature lets users stay logged in across browser sessions. When enabled, a "Remember Me" checkbox appears on the login form. If checked, the user's session is restored automatically when they return — even after closing the browser — for up to 30 days.

Enabling Remember Me

Set remember_me to true in config/auth.php:

'remember_me' => true

The login form checkbox and all the underlying token logic activates automatically.

How It Works

When a user logs in with Remember Me checked:

  1. A secure random token is generated with bin2hex(random_bytes(32))
  2. The token is stored in the users table alongside an expiry timestamp 30 days from now
  3. The token is set as an HttpOnly cookie in the user's browser, also expiring in 30 days

On subsequent visits, before routing runs, the bootstrap checks for the cookie:

  1. If a remember_token cookie is present and no active session exists, the token is looked up in the database
  2. If the token is valid and hasn't expired, the user's session is restored automatically
  3. If the token is invalid or expired, the cookie is cleared and the user lands on the login page as normal

Security

The implementation follows standard remember me security practices:

  • Tokens are generated with random_bytes() — cryptographically secure and not guessable
  • The cookie is set as HttpOnly, preventing JavaScript from reading it
  • Tokens are scoped to a single user and expire after 30 days
  • On logout, the token is deleted from the database and the cookie is immediately invalidated — even if someone had a copy of the cookie, it would stop working the moment the user logs out

Disabling Remember Me

Set remember_me to false in config/auth.php. The checkbox will not appear on the login form and no persistent tokens will be created.

'remember_me' => false
Was this helpful?