From 5445a0d3fc55ff7ac21e5db66d8855a4b5cda8dd Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Mon, 21 May 2018 11:33:50 +1200
Subject: [PATCH 1/2] Corrected login data usage docs

---
 .../en/02_Developer_Guides/09_Security/06_Personal_Data.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md b/docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md
index dbe5e73ca..006bf0502 100644
--- a/docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md
+++ b/docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md
@@ -47,10 +47,13 @@ this unique link will persist across sessions.
 
 ## Login Attempts
 
-SilverStripe can be configured to record login attempts, in order to lock out users
+SilverStripe is configured by default to record login attempts, in order to lock out users
 after a defined number of attempts, and hence limit the attack surface of the login process.
 This is predicated on tracking the IP address of the attempt, which can be considered personal data.
-See `SilverStripe\Security\Security::$login_recording` for details.
+IP addresses related to these attempts are stored indefinitely unless manually purged
+from the `LoginAttempt` table.
+See `SilverStripe\Security\Security::$login_recording` and
+`SilverStripe\Security\Security::$lock_out_after_incorrect_logins` for details.
 
 ## Logging and Exceptions
 

From 9097a95de27daff07af6be0ec472934cd01b1d7e Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Mon, 21 May 2018 11:36:53 +1200
Subject: [PATCH 2/2] Cookie lifetime docs

---
 docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md b/docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md
index 006bf0502..0749f5a93 100644
--- a/docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md
+++ b/docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md
@@ -44,6 +44,8 @@ SilverStripe will default to using PHP sessions for tracking logged-in users,
 which uniquely link users to their device/browser through a session cookie.
 If the user chooses the "Remember me" feature on login,
 this unique link will persist across sessions. 
+The default cookie lifetime for this feature is 48h.
+See `SilverStripe\Security\Member::$auto_login_token_lifetime` for details.
 
 ## Login Attempts