Honor remember_login_cookie_lifetime

If the remember_login_cookie_lifetime is set to 0 this means we do not
want to use remember me at all. In that case we should also not creatae
a remember me cookie and should create a proper temp token.

Further this specifies that is not 0 the remember me time should always
be larger than the session timeout. Because else the behavior is not
really defined.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

1 files changed, 8 insertions, 1 deletions

diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
index 40e13b43c80..64899304d78 100644
--- a/core/Controller/LoginController.php
+++ b/core/Controller/LoginController.php
@@ -329,7 +329,14 @@ class LoginController extends Controller {
 		// TODO: remove password checks from above and let the user session handle failures
 		// requires https://github.com/owncloud/core/pull/24616
 		$this->userSession->completeLogin($loginResult, ['loginName' => $user, 'password' => $password]);
-		$this->userSession->createSessionToken($this->request, $loginResult->getUID(), $user, $password, IToken::REMEMBER);
+
+		$tokenType = IToken::REMEMBER;
+		if ((int)$this->config->getSystemValue('remember_login_cookie_lifetime', 60*60*24*15) === 0) {
+			$remember_login = false;
+			$tokenType = IToken::DO_NOT_REMEMBER;
+		}
+
+		$this->userSession->createSessionToken($this->request, $loginResult->getUID(), $user, $password, $tokenType);
 		$this->userSession->updateTokens($loginResult->getUID(), $password);
 
 		// User has successfully logged in, now remove the password reset link, when it is available