((p "If an user is authenticated, an " (@L (@H "“") "access token" (@H "”")) " is created that must be sent with every request to prove the identity of the caller." " " "Otherwise the user will not be recognized by Zettelstore.") (p "If the user was authenticated via the " (a (@ (href . "00001014000000")) "web user interface") ", the access token is stored in a " (a (@ (href . "https://en.wikipedia.org/wiki/HTTP_cookie#Session_cookie") (rel . "external")) (@L (@H "“") "session cookie" (@H "”"))) "." " " "When the web browser is closed, these cookies are not saved." " " "If you want web browser to store the cookie as long as lifetime of that token, the owner must set " (kbd "persistent-cookie") " of the " (a (@ (href . "00001004010000")) "startup configuration") " to " (kbd "true") ".") (p "If the web browser remains inactive for a period, the user will be automatically logged off, because each access token has a limited lifetime." " " "The maximum length of this period is specified by the " (kbd "token-lifetime-html") " value of the startup configuration." " " "Every time a web page is displayed, a fresh token is created and stored inside the cookie.") (p "If the user was authenticated via the API, the access token will be returned as the content of the response." " " "Typically, the lifetime of this token is more short term, e.g. 10 minutes." " " "It is specified by the " (kbd "token-lifetime-api") " value of the startup configuration." " " "If you need more time, you can either " (a (@ (href . "00001012050200")) "re-authenticate") " the user or use an API call to " (a (@ (href . "00001012050400")) "renew the access token") ".") (p "If you remotely access your Zettelstore via HTTP (not via HTTPS, which allows encrypted communication), you must set the " (kbd "insecure-cookie") " value of the startup configuration to " (kbd "true") "." " " "In most cases, such a scenario is not recommended, because user name and password will be transferred as plain text." " " "You could make use of such scenario if you know all parties that access the local network where you access the Zettelstore."))