By default, login state ends when the browser closes (session cookie).

“Remember me” uses a longer-lived cookie so users stay logged in.

Using remember=True

from flask_login import login_user
 
login_user(user, remember=True)

from flask_login import login_user
 
login_user(user, remember=True)

Often the user chooses this via a checkbox.

Security tradeoffs

Remember-me is convenient but can be risky:

• if someone gains access to the device, they stay logged in

Mitigations:

• allow users to revoke sessions
• set reasonable expiration times
• require re-auth for sensitive actions

Configure duration

Flask-Login allows setting:

• REMEMBER_COOKIE_DURATIONREMEMBER_COOKIE_DURATION

You can set it in app config.

Best practice

For banking/high-security apps:

• avoid long remember sessions
• require multi-factor authentication (MFA)

For normal apps:

• remember-me is common and acceptable.