Long-term storage and "remember me" checkboxes

[2br-2b]

First of, this seems like a cool idea! I really like the theory behind it.

I could just be misunderstanding what a session is, but my understanding is that a session is the time from when a user first enters a website to when they close the last tab, right?

If so, the private key is deleted whenever a session ends. Wouldn't (from my understanding) this make "remember me" checkboxes on websites impossible without some long-term private key storage solution?

My other guess is that a session refers to the time from when a user first logs into a site to when they log out, which would make sense to me.

Thank you so much for your time!

[zainazeem]

"Session" in the context of this project refers to the time from when the user logs in to when they log out, either purposefully or due to session expiry. "Remember me" checkboxes are there to tell the website/server to keep the session alive for longer before expiring. With JWTs, that would mean the server includes a longer-dated expiry time in the token and/or refresh token when it issues it. So those checkboxes would continue to work as they currently do, since the tokens get removed from the browser when the user purposefully logs out anyway, meaning there's no harm in also removing the private key upon logout under this proposal.

There's some good discussion in #46 about potentially having persistent keys and defining a session as starting from the moment the user lands on a website, but that doesn't seem to be in scope for an initial launch.