When logging in without "remember me" use a shorter expiration on the auth token
It should be set to 24 hours. Right now it's very likely a user who doesn't "remember me" would just leave without explicitly hitting Log out. That means their token doesn't expire right away.