The session cookie itself should be valid only for the current browser session (i.e., automatically get logged out once the browser tab is closed). If the user wishes to stay logged in for longer than that, there should be a checkbox (on the login page) to "remember me".
The session cookie itself should be valid only for the current browser session (i.e., automatically get logged out once the browser tab is closed). If the user wishes to stay logged in for longer than that, there should be a checkbox (on the login page) to "remember me".