This article will discuss some elements of the login form that sometimes confuse users (and admins). Some of these concepts are not necessarily specific to WP-Members (or even WordPress) while some are, and some overlap.
How WordPress (and thus, WP-Members) Maintains Login State
The “Remember Me” Checkbox
WordPress has a “remember me” option in its login form. WP-Members reproduces this it is own login form, as do many other plugins that create a login form.
The “remember me” sets the expiration of the WordPress login cookie to expire in 2 weeks. If this is not checked, the WordPress login cookie will expire at the end of the session.
If a user returns to the site while the cookie is set and not expired, they will continue to be in a logged in state when they return to the site.
When the cookie expires and the user returns to the site, they will need to log in again.
The WP-Members sidebar widget does not include the “remember me” checkbox. However, it passes the “remember me” value as true automatically.
IMPORTANT: This checkbox has nothing to do with “saving” your login information for populating the login form. See the heading item “Saving Login Credentials” below for information about that.
Changing the “Remember Me” Timeframe
As with most WordPress features, the two week “Remember Me” cookie expiration can be changed (filtered) with the filter “auth_cookie_expiration“. That means that plugins or custom code can make it longer or shorter.
Since this article is intended to be an explanation of how things work and not a “how-to” article, it will not go into how to do this, but merely mentions that this possibility exists.
The fact that it can be customized means that if you are experiencing the possibility that users are not staying logged in when they should be means that if you have determined that you are certain it is not “operator error” with regards to how the process works, then you need to track down if there is a filter in place that is changing the “remember me” timeframe.
The process of logging out destroys the WordPress “auth” cookie (the cookie that keeps you logged in). This is intentional and serves to put you in a logged out state. When you return to the site, you will be required to log in again.
This operation is the same regardless of whether you log out using the WP-Members link or one of the WordPress generated logout links.
Saving Login Credentials
Most modern browsers include functionality to save your login credentials for various sites. When enabled, this will save your username and password and will populate the form with them automatically when you return to the site. There are plugins that do this as well.
It’s important to note that this is a browser feature and operation. It has nothing to do with WP-Members or WordPress (or any other web site you are accessing). If your username/password are being displayed in the form, that’s your browser settings, not the plugin. Likewise, if you have users who are returning to the site and asking about their username/password not being “saved,” you need to know if they mean saving their login credentials in the browser or that they are not logged in.