Basic authentication seems to forget login each time the user closes the browser. Can it be made to remember it (e.g. for at least 30 days) unless the user forcibly deletes cookies, etc.?
I've tried adding the following but it made no difference:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} remember_me=([^;]+) [NC]
RewriteRule ^ - [E=REMOTE_USER:%1]
Header always set Set-Cookie "remember_me=%{REMOTE_USER}e; Path=/; Max-Age=2592000; HttpOnly; Secure" env=REMOTE_USER
No.
Because of several reason, one of which is that HTTP Basic authentication does not use cookies. The other is that basic authentication method for example also is not aware of a session and does not support a logout method either.
As the name says: it is a very basic authentication method and should NOT be used for access controls in any modern web application.
To be more precise - that depends on the client.
Basic authentication is completely stateless. The credentials must be sent again and again with each and every request to the server. And also the server must authenticate the client for each request separately. There is no session, and therefore, as the above answer mentions, there are no cookies. Basically, instead of sending the contents of a cookie, the client sends its credentials again. It's just one HTTP header instead of another.
The "remembering of the login" happens completely on the client-side. Without it, if you open a basic-authenticated webpage in a browser, you would have to enter your password like 10-100 times, depending on how many sub-requests the loading needs. That's why practically all clients "remember the login" at least for the current page load, even if you don't click that "remember" checkbox, because otherwise it's completely unusable.
So technically, if you can configure your browser to remember your basic-auth forever, then it won't ask you ever again. In practice, most browsers do not support this and only remember it for the current session or browser instance.
If you don't have control over your clients, then you're out of luck. On the server side, as pointed out above, there is zero you can do, because the server processes basic auth on a per-request basis.