Is having a Persistent Login Cookie ("Remember me") that never expires a good idea?

Question

In the most recommended solution for Persistent Login Cookies, a user's "Remember me" Cookie is always renewed with a new token when they login with their Persistent Login Cookie. Let's say you set an expiry date of 30 days for the Cookie, this means that as long as they access the site once a month, they will never, ever have to enter their password again since the renewed Cookie will keep pushing the expiry date 30 days into the future.

Is this a good idea?

If not, and we wanted to force them to login at least once a month, then how would we know when their first Persistent Login Cookie was issued considering we can't retrieve the expiry date of a Cookie?

Would we have to store the timestamp of the first Cookie in the Cookies themselves and keep track of it that way and then have the site delete the cookie when the original timestamp has expired?

Or am I overthinking all of this and there is no problem with a user that never has to login again (unless, of course, they are accessing a critical section of the site, such as their Account or Payment page)?

Answer 1

It really depends on the nature of the information which is being accessed on the site, for stackoverflow it's ok for more sensitive information like access to a bank web site, never.