Actually this proposal would break things for mobile/laptop users.

Maybe the "remember me" option should be a list: "no, yes but only on this IP address, yes for any roaming IP address".

Problem with that is that it is UI bloat, so should be optional. Maybe we can move it into a question dialog that opens when submitting the login, and include the cookie privacy warning on that too. We're talking more like 6 hours work then though.

Also considering salting to user agent.

This is really tricky.

Most users won't have a static IP. It may take time to change, but if we hashed to it we would be logging users out even if they always are using the same DSL/Cable connection. Definitely with wifi and cellular though.

User-agents also aren't stable. If browsers are upgraded it will change, but also some browsers change their user agent to trick sites into displaying in different ways (at least Edge does).

I'll drop this issue, but I've added a note in #1387 (2FA) that a 2FA account should salt cookies by IP and user-agent. If this causes some logins to be lost more often that's reasonable and an expected trade-off for someone who set up 2FA. The sessions themselves won't be lost. This is probably very much in line with how the "Remember this machine" option works on 2FA logins, as opposed to just classic "Remember me".