I am using CredentialsAuthProvider with SS v4.0.39, and have been for well over a year. A client has asked what the "remember me" checkbox on the login page does. My understanding was that this determines whether the user's session is persisted across browser tabs.
However, having tested it, when rememberMe = false, the ss-pid cookie is still returned, and if I open other tabs/browser windows, the session is retrieved and user is an "authenticated" user.
Have I mis-understood the behaviour?