There’s a few different things that were going on with regard to this.
Firstly, I presume to replicate this problem you were logging in, going to the Privilege Example page where it would correctly say ‘User logged in via password’.
If you then closed the browser and then reopened this same page, it would still say ‘User logged in via password’. If you then refreshed the page, the user would be logged out.
This problem has now been fixed so the users session credentials are instantly removed, rather than after 1 page refresh. The update is available via the Github repo.
Now further into possibly the behaviour you were expecting.
The reason why the user was logged out rather than saying ‘User logged in via “remember me”’ is because of the config setting:
$config['security']['logout_user_onclose'] = TRUE;
This logs the user out when the browser is closed.
If you were to set the above setting to FALSE, and repeat the steps outlined at the top, it will still say ‘User logged in via password’ - this is because of the timelimit defined via the the config setting:
$config['security']['login_session_expire'] = 60*60*3;
If you were to change this to for example 10 seconds, provided you don’t refresh the page within 10 seconds, the users login status will fall back to ‘User logged in via “remember me”’ (Provided the remember option was selected on login), or log the user out completely.
After considering this, I think it is best that the login via password status should always be removed upon the browser being closed - so I will look to include this feature into the library soon.
I hope that helps explain whats happening.