If an user is authenticated, an “access token” is created that must be sent with every request to prove the identity of the caller. Otherwise the user will not be recognized by Zettelstore.
If the user was authenticated via the web interface, the access token is stored in a “session cookie”➚. When the web browser is closed, theses cookies are not saved. If you want web browser to store the cookie as long as lifetime of that token, the owner must set persistent-cookie of the startup configuration to true.
If the web browser remains inactive for a period, the user will be automatically logged off, because each access token has a limited lifetime. The maximum length of this period is specified by the token-lifetime-html value of the startup configuration. Every time a web page is displayed, a fresh token is created and stored inside the cookie.
If the user was authenticated via the API, the access token will be returned as the content of the response. Typically, the lifetime of this token is more short term, e.g. 10 minutes. It is specified by the token-timeout-api value of the startup configuration. If you need more time, you can either re-authenticate the user or use an API call to renew the access token.
If you remotely access your Zettelstore via HTTP (not via HTTPS, which allows encrypted communication), your must set the insecure-cookie value of the startup configuration to true. In most cases, such a scenario is not recommended, because user name and password will be transferred as plain text. You could make use of such scenario if you know all parties that access the local network where you access the Zettelstore.