From 89e18d9d6544a00dad6362b5967cc8e7fa2717a1 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Sat, 16 Nov 2013 05:14:03 +0100
Subject: [PATCH] document how cookies are used depending on the "keep me
 logged in" checkbox state

---
 docs/security.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/security.rst b/docs/security.rst
index 483c15c..2d6e8da 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -128,6 +128,11 @@ If you have set WE_HAVE_SSL to True (because you run the software on a https
 site), you should also set *_COOKIE_SECURE to True to avoid the cookies getting
 transmitted via http.
 
+For local account logins, we use a session cookie by default (gets cleared when
+you close the browser). If you check the "Keep me logged in checkbox" on the
+login screen, then we'll set a permanent cookie with a lifetime as configured
+by the site admin (SESSION_COOKIE_AGE, default: 14 days).
+
 Be careful with domain cookies
 ------------------------------