"Remember-me" users forced to log in too often

We've discovered a code bug that may be causing users who have checked "Remember me" to still be forced to log in whenever their session expires (default is after about 30 min of inactivity), rather than having their session automatically extended. This effect is so far hypothetical - it's not confirmed in practice yet.

The bug would affect Stash instances that having been running long enough for 500 user session invalidations to occur on the instance, and restarting the Stash server would reset this back to 0.

You may see a CookieTheftException in the logs when a user is forced to log in.