I believe that PersistentLoginDefaultP prevents a persistent cookie from being
set. The system may still recognize already set persistent cookies unless you
either clear out the active sessions table or clear the cookies on the user's
machine. The system itself will clear out the sessions table after
SessionLifetime expires.
The problem is that if a user closes his browser without logging out,
anyone sitting at his
computer can still access his account within the 2 hours that the session
cookie takes to expire.
If no persistent cookie was set then this should not be the case. Once the
browser is closed the cookie is deleted and logging back in will require a
password.
