Crowd has session timeout https://confluence.atlassian.com/display/CROWD/Session+Configuration
Is this time the same?
How you expect "remember me" to work?

https://github.com/jenkinsci/crowd2-plugin/blob/71e87644a84da733aca367258008121150352ef3/src/main/java/de/theit/jenkins/crowd/CrowdRememberMeServices.java#L108

Remember me works only for SSO, but i not sure how it should change session timeout.

I was thinking that if I'm using Crowd just for password validation - and not for full session management, that jenkins would create it's own session cookie that didn't expire. Yes, it's bypassing the session timeout settings from Crowd server, but seems like that should be an option.

I don't use SSO with Crowd on any other services, but I don't have to log in every time with jira/confluence/crucible/etc. I did recently increase some session numbers though, so will have to see if that has any effect on jenkins session lifetime.

Crowd handle authorizations and their security. Jenkins mustn't cache passwords imho.
I want check only two things:

• whether browser can store password and probably then "remember me" can do "autologin"
• probably SSO != "remember me"

Wait, are you saying that the normal remember me is to SAVE THE PASSWORD?! That would be horrible. No remember me implementation should be done that way.

I think remember me should just be setting cookie lifetime (and whether they last for more than one browser session) for the jenkins session cookies. It already has to have a cookie for tracking whether you're logged in or not - just make that "session" persistent over the max lifetime for remember-me.

The only negative of this is that it would not be "aware" of the crowd session limitation, in which case, you could have jenkins periodically re-ask crowd if the users session is still valid, or limit the max 'remember me' lifetime to whatever the session expiration limit is from crowd server.

I think you should just have a simple "make the session cookie expire in NNNNN minutes if remember-me is selected" checkbox on the crowd plugin", which I think would be equivalent to a normal login.

Your cookie timeout configured in Crowd. How you want authorize if it expires in i.e. 30 minutes?

In my environment, I don't have any crowd cookies since I'm not doing SSO. If you mean the crowd 'session' lifetime, not familiar enough with the details. For the most part, I don't limit the lifetimes to anything short, so in my case, I'd want it to just operate as it does now, but instead of setting cookie with the 'this session only' configuration, set it to have a expiration of 'N days'.

That's how all the Atlassian apps operate when SSO isn't enabled - my session never expires as long as long as I don't delete the cookie.