Persistent Login

Provides a "Remember Me" feature on the user login form that allows users to stay logged in across browser sessions.

persistent_login
6,032 sites
53
drupal.org
gui api
authentication security login remember me session user experience
Drupal 9 Drupal 10 Drupal 11

Install

Drupal 11 v2.2.4
composer require 'drupal/persistent_login:^2.2'
Drupal 10, 9 v8.x-1.10
composer require 'drupal/persistent_login:8.x-1.10'

Overview

The Persistent Login module implements a secure "Remember Me" functionality for Drupal sites. When users check the "Remember Me" option during login, they will automatically be logged back in when they return to the site, even after closing their browser.

Unlike simply extending PHP session lifetime (which is insecure and applies to all users), this module uses a secure token-based approach. It stores hashed tokens in the database using a series/instance pattern, where the series value is long-lived and the instance value is refreshed on each use. This approach helps detect token theft while maintaining persistent authentication.

The module is designed to work alongside standard Drupal sessions - when the browser is closed, the PHP session ends, but the persistent login cookie remains. On the next visit, the user is automatically authenticated using the persistent token.

Features

  • Adds a "Remember Me" checkbox to the user login form with configurable label
  • Secure token-based authentication using series/instance pattern (similar to the approach described in Barry Jaspan's "Improved Persistent Login Cookie Best Practice")
  • Configurable token lifetime in days, with optional lifetime extension on each use
  • Configurable maximum number of persistent login tokens per user
  • Automatic cleanup of expired tokens via cron
  • Users can view their active persistent logins on their profile page
  • Automatic token invalidation on password change with option to logout all devices
  • Tokens are automatically cleared when users log out, are deleted, or are cancelled
  • Page cache request policy prevents serving cached pages to users with pending persistent login cookies
  • Supports HTTPS-specific cookie prefixes for enhanced security
  • Configuration translation support for multilingual sites

Use Cases

Community or Member Portal Sites

For community sites or member portals where users access content regularly, enabling persistent login improves user experience by eliminating repeated login requirements while maintaining security. Users can check "Remember Me" on their personal devices to stay logged in across browser restarts.

E-commerce Sites with User Accounts

Online stores with customer accounts can use persistent login to keep customers logged in, making repeat purchases more convenient. The configurable token limit ensures users aren't logged in on too many devices simultaneously.

Corporate Intranets

For internal company sites accessed daily by employees, persistent login reduces friction while the automatic token expiration ensures sessions don't persist indefinitely. The per-user token list allows administrators and users to monitor active sessions.

Multi-device Access Management

Sites where users access from multiple devices can use the maximum token limit to control how many simultaneous persistent logins are allowed. Users can view their active sessions and administrators can configure appropriate limits.

Security-Conscious Sites with Convenience

Sites that need to balance security with user convenience can configure shorter token lifetimes (e.g., 7 days) with lifetime extension on use. This ensures inactive sessions expire quickly while active users remain logged in.

Tips

  • Set the session cookie lifetime to 0 in services.yml before enabling the module to avoid status report warnings
  • Consider enabling "Extend lifetime when used" for frequently visited sites to keep active users logged in
  • Set a reasonable maximum token limit to prevent users from having unlimited persistent sessions
  • Use a unique cookie prefix if running multiple Drupal sites on the same domain
  • Remember that changing the cookie prefix will log out all users with persistent sessions
  • The persistent login tokens are stored securely using hashed values in the database
  • Users can see their active persistent logins on the "Persistent Logins" tab of their profile page

Technical Details

Admin Pages 2
Persistent Login /admin/config/system/persistent_login

Configure settings for the persistent login feature including token lifetime, maximum tokens per user, login form label, and cookie prefix.

Persistent Logins /user/{user}/persistent-logins

Displays a table of the user's active persistent login sessions, showing when each was created, last used, and when it expires (if lifetime is configured). This page is accessible as a tab on user profile pages.

Hooks 6
hook_form_user_login_form_alter

Adds the "Remember Me" checkbox to the user login form and attaches a submit handler to create persistent login tokens when checked.

hook_form_user_form_alter

Adds a "Logout all other devices" checkbox to the user edit form when changing password. When checked along with a new password, all persistent login tokens for the user are cleared.

hook_user_logout

Clears the persistent login token for the current session when a user logs out.

hook_user_cancel

Clears all persistent login tokens for a user when their account is cancelled.

hook_user_delete

Clears all persistent login tokens for a user when their account is deleted.

hook_cron

Cleans up expired persistent login tokens from the database during cron runs.

Troubleshooting 5
Users are not staying logged in after browser restart

Ensure your services.yml file has 'session.storage.options.cookie_lifetime: 0' configured. The module requires session cookies to expire when the browser closes so the persistent login cookie can take over authentication.

Status report shows error about session cookie lifetime

Edit your site's services.yml file to add or modify the session.storage.options parameter with cookie_lifetime set to 0, then rebuild the cache.

Persistent login not working behind Varnish or other reverse proxy

Configure your reverse proxy to not serve cached responses for requests that include the persistent login cookie (default prefix 'PL' or 'SPL' for HTTPS).

All users were logged out after configuration change

Changing the cookie prefix will invalidate all existing persistent login cookies. This is expected behavior - users will need to log in again and select "Remember Me".

User tokens not being cleaned up

Ensure cron is running regularly on your site. The module's hook_cron implementation removes expired tokens from the database.

Security Notes 6
  • The module uses a secure series/instance token pattern that can detect token theft - if a token is used twice with the same series but different instance, it indicates potential theft
  • Tokens are stored as hashed values in the database, so raw token values cannot be recovered if the database is compromised
  • The module automatically clears all tokens when a user changes their password with the "Logout all devices" option checked
  • Tokens are automatically invalidated when users log out, are deleted, or have their accounts cancelled
  • HTTPS sites use a different cookie prefix (prepended with 'S') to prevent cookie collision attacks
  • The page cache policy prevents serving cached anonymous pages to users with persistent login cookies, ensuring proper authentication