diff --git a/config.TEMPLATE.inc.php b/config.TEMPLATE.inc.php
index 2a1b82ff11e..f1dcc84289b 100644
--- a/config.TEMPLATE.inc.php
+++ b/config.TEMPLATE.inc.php
@@ -49,8 +49,9 @@
 ; Session cookie path; if not specified, defaults to the detected base path
 ; session_cookie_path = /
 
-; Number of days to save login cookie for if user selects to remember
-; (set to 0 to force expiration at end of current session)
+; Number of days a session remains valid while idle (minimum 1 day)
+; Values less than 1 are clamped to 1 day
+; To expire sessions when the browser closes, use session_expire_on_close in [security]
 session_lifetime = 30
 
 ; SameSite configuration for the cookie, see possible values and explanations
@@ -289,7 +290,9 @@
 ; migration of old password hashes.
 encryption = sha1
 
-; When set to On, expire cookie-based sessions upon closing the browser window.
+; When set to On, the session cookie expires when the browser is closed.
+; The server-side session data still persists for session_lifetime days
+; and is cleaned up by garbage collection.
 session_expire_on_close = Off
 
 ; The unique salt to use for generating password reset hashes
diff --git a/lib/pkp b/lib/pkp
index 037ef44252d..1e74d5fa9af 160000
--- a/lib/pkp
+++ b/lib/pkp
@@ -1 +1 @@
-Subproject commit 037ef44252d938119a37a18ea5f6f0137d8aa611
+Subproject commit 1e74d5fa9af25592054e95a3bd4f0edb6895f9f9