This is split off from
We should be looking to extend the session timeout, perhaps with a "Keep me logged in", or "Remember me" checkbox at login.
This has been requested many times in duplicate trackers but it's often been confused with 'Remember me' which was interpreted as only the username when lots of people really meant the full session.
We need an admin setting for how long you should be remembered for, eg 1 month or 3 months. This is a maximum session length and should be treated differently to a session timeout. There is quite a few touch points.
From a security perspective long lived sessions are ok as long as you have the ability to re-authenticate when you need to do something for sensitive so I think this should be dependent on MDL-66172 (and why I didn't do it as part of