Scheduled: This is scheduled for this Tuesday (2016-08-16) during the 15:00 UTC SWAT window.
Author: swalling
Description:
Previously, we were required to remember a user's session information for no longer than 30 days on Wikimedia sites. The new privacy policy (https://meta.wikimedia.org/wiki/Privacy_policy) does not require such a limitation, and in fact explicitly calls out remembering logins as a use case: "...such as by using cookies to maintain your session when you log in or to remember your username in the login field."
As such, if a user checks the "keep me logged in option" on the login form, cookie expiry should be set to one year.
In practice, this will often be shorter, since users often travel across many browsers or devices, and may clear their cookies. At the very least, users who opt in to being remembered should have their sessions remembered for longer than the arbitrary 30 day limit.