The behavior of remembering the user's identity, if not their login, was added a long time ago.
This allows users whose session has expired, but are browsing public resources, to not be required to login again. They are asked for their password to perform an action that requires privileges the public does not have. This is seperate from persistent login. The login session can expire without requiring the user to type their password again if they are viewing public pages (ie: openacs.org behaves this way.)
So I think any change needs to still support this beheavior, at least as a parameter.
I haven't reviewed Victor's proposal to see if it supports this case yet.
