Probably not exactly what you are looking for but the topic reminds me of the cookie expire date.
About 15 years ago I learned about cookies and their expiry date. At the time it was totally up to you as a developer if you wanted to have a login that lasted 10 minutes or three years. While relevant for security, it was just a number you had to define. So it didn't feel like a big thing.
When I learned about concepts like 'remember me' I was a bit surprised, as in my world it was just about increasing the number for the cookie lifetime. In most cases, that is not entirely true as the modern 'remember me' implementations are more complex (e.g. to support re-authentication for modification of data), but the core principle is still the same (using a long living cookie for authentication).
So what was just a simple number back then, became a complex topic with legal implications nowadays.
About 15 years ago I learned about cookies and their expiry date. At the time it was totally up to you as a developer if you wanted to have a login that lasted 10 minutes or three years. While relevant for security, it was just a number you had to define. So it didn't feel like a big thing.
When I learned about concepts like 'remember me' I was a bit surprised, as in my world it was just about increasing the number for the cookie lifetime. In most cases, that is not entirely true as the modern 'remember me' implementations are more complex (e.g. to support re-authentication for modification of data), but the core principle is still the same (using a long living cookie for authentication).
So what was just a simple number back then, became a complex topic with legal implications nowadays.