Merge pull request #9909 from creative-commoners/pulls/4/remember-thirty

ENH Reduce default token period from 90 to 30 days

docs/en/02_Developer_Guides/09_Security/00_Member.md

@@ -139,7 +139,8 @@ class MyMemberExtension extends DataExtension
 Logins can be "remembered" across multiple devices when user checks the "Remember Me" box. By default, a new login token
 will be created and associated with the device used during authentication. When user logs out, all previously saved tokens
 for all devices will be revoked, unless [`RememberLoginHash::$logout_across_devices`](api:SilverStripe\Security\RememberLoginHash::$logout_across_devices) is set to false. For extra security,
-single tokens can be enforced by setting [`RememberLoginHash::$force_single_token`](api:SilverStripe\Security\RememberLoginHash::$force_single_token) to true.
+single tokens can be enforced by setting [`RememberLoginHash::$force_single_token`](api:SilverStripe\Security\RememberLoginHash::$force_single_token) to true.  Tokens will be valid for 30 days by
+default and this can be modified via [`RememberLoginHash::$token_expiry_days`](api:SilverStripe\Security\RememberLoginHash::$token_expiry_days).
 
 ## Acting as another user
 

docs/en/04_Changelogs/4.8.0.md

@@ -49,3 +49,11 @@ for GraphQL 3 code in the `_legacy` folder, alongside `code/` / `src/`.
 
 It is likely that in the future, we will mandate the use of GraphQL 4 in Silverstripe CMS, and
 remove this shim. We expect this happen within just one minor release, making `_legacy/` a very short-lived workaround.
+
+## Enhancements
+
+### Default time period for log in form "remember me" checkbox reduced from 90 to 30 days
+
+Based on feedback from users, we've reduced the time period of the "remember me" checkbox on the login form from
+90 to 30 days.  This value is configurable via `SilverStripe\Security\RememberLoginHash::token_expiry_days`.
+

src/Security/RememberLoginHash.php

@@ -60,7 +60,7 @@ class RememberLoginHash extends DataObject
      * @config
      * @var int
      */
-    private static $token_expiry_days = 90;
+    private static $token_expiry_days = 30;
 
     /**
      * Number of days the device ID will be valid for