Should identity be changed?

[yanxurui]

I am using this module to implement something like 'remember me'. I understand that we should use a random string such as a uuid or hash as identity to make it unguessable for attackers. My question is is it fine to use a identity that is immutable for a specific user? If so, what if the token is identity is leaked? If not, when should it be changed? Thanks in advance!

[Dreamsorcerer]

I'm going to make this a duplicate of #313.

I'm still a little unclear what the rationale of this is. The demos don't follow the documentation advice, and I'm just not clear why it would be an issue to reveal the username or similar. (If you use the session backend, then you don't even reveal it, the session is encrypted).