fix: session cookie — move force_remember hook from login_form_login to login_init

login_form_login is a form display hook that never fires on a successful login
POST (WordPress redirects before re-rendering). Moving to login_init (priority 5)
ensures $_POST['rememberme'] is set before wp_signon() reads the credentials,
so the auth cookie is written with an explicit expiry instead of expire=0
(session cookie cleared by browser on app close/swipe-up).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Andrew Baker

cs-code-block.php

@@ -3,7 +3,7 @@
  * Plugin Name: CloudScale DevTools
  * Plugin URI: https://andrewbaker.ninja
  * Description: Developer toolkit with syntax-highlighted code blocks, SQL query tool, code migrator, site monitor, and login security (passkeys, TOTP, email 2FA, hide login URL).
- * Version: 1.8.88
+ * Version: 1.8.90
  * Author: Andrew Baker
  * Author URI: https://andrewbaker.ninja
  * License: GPL-2.0-or-later
@@ -38,7 +38,7 @@
  */
 class CloudScale_DevTools {
 
-    const VERSION      = '1.8.88';
+    const VERSION      = '1.8.90';
     const HLJS_VERSION = '11.11.1';
     const HLJS_CDN     = 'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/';
     const TOOLS_SLUG   = 'cloudscale-devtools';
@@ -311,9 +311,11 @@ public static function init() {
         add_filter( 'site_url',            [ __CLASS__, 'login_custom_site_url' ], 10, 4 );
 
         // Brute-force protection — check before authentication (priority 1, before password check).
-        add_filter( 'authenticate',     [ __CLASS__, 'login_brute_force_check' ], 1, 3 );
+        add_filter( 'authenticate',    [ __CLASS__, 'login_brute_force_check' ], 1, 3 );
         // Force persistent cookie when a custom session duration is configured.
-        add_action( 'login_form_login', [ __CLASS__, 'login_force_remember' ] );
+        // Must be login_init (fires before the POST is processed) not login_form_login
+        // (which is a display hook that never fires on a successful login POST).
+        add_action( 'login_init', [ __CLASS__, 'login_force_remember' ], 5 );
         // Security monitor — always track failed logins regardless of monitor toggle.
         add_action( 'wp_login_failed', [ __CLASS__, 'perf_track_failed_login' ] );
 
@@ -4214,12 +4216,18 @@ public static function login_session_expiration( int $expiration, int $user_id,
     }
 
     /**
-     * When a custom session duration is configured, forces "remember me" on the
-     * standard WordPress login form so the auth cookie is written as a persistent
-     * cookie (non-zero expiry) rather than a session cookie that browsers clear
-     * when closed.
+     * When a custom session duration is configured, forces "remember me" so the
+     * auth cookie is written as a persistent cookie (non-zero browser expiry)
+     * rather than a session cookie that browsers clear when closed/swiped away.
      *
-     * @since  1.9.5
+     * Hooked to `login_init` (priority 5) — fires before WordPress reads
+     * $_POST['rememberme'] when processing the login form POST, so wp_signon()
+     * receives remember=true and wp_set_auth_cookie() sets an explicit expiry.
+     *
+     * Note: login_form_login is a DISPLAY hook (fires when rendering the form)
+     * and never fires on a successful login POST — do NOT use that hook here.
+     *
+     * @since  1.8.88
      * @return void
      */
     public static function login_force_remember(): void {

readme.txt

@@ -4,7 +4,7 @@ Tags: code block, syntax highlighting, gutenberg block, dark mode, highlight.js
 Requires at least: 6.0
 Tested up to: 6.7
 Requires PHP: 7.4
-Stable tag: 1.8.88
+Stable tag: 1.8.90
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -79,7 +79,10 @@ Yes. Press Enter to run the query. Use Shift+Enter to insert a newline. Ctrl+Ent
 
 == Changelog ==
 
-= 1.8.88 =
+= 1.8.90 =
+* Fixed: session cookie hook was wrong — login_form_login is a display hook that never fires on a successful login POST; moved to login_init so the persistent-cookie flag is set before WordPress processes credentials
+
+= 1.8.89 =
 * Added: Brute-force protection — configurable per-account lockout after N failed login attempts (default 5 attempts, 5-minute lock), with admin UI to adjust both thresholds
 * Fixed: Session persistence — login sessions now survive browser close when a custom session duration is set (auth cookie was a session cookie; now writes a persistent cookie)
 * Added: Thumbnails tab — Social Preview Diagnostics with URL checker (9-point OG/image diagnostic), recent posts auto-scan, Cloudflare WAF setup guide + crawler UA tester + cache purge, and Media Library auditor with one-click recompress for oversized images