Remember cookie set on page loads when REMEMBER_COOKIE_REFRESH_EACH_REQUEST is set to True, regardless of whether a remember cookie was set when the user logged in

[ljsebald]

Describe the bug A remember cookie is set for users on every page load if the REMEMBER_COOKIE_REFRESH_EACH_REQUEST configuration option is set to True, even if a remember cookie was not set when the user is logged in initially by calling the login_user function.

To Reproduce Steps to reproduce the behavior:

1. Set app.config['REMEMBER_COOKIE_REFRESH_EACH_REQUEST'] = True.
2. Call login_user(..., remember=False)
3. Observe that the remember cookie is set.

Expected behavior A remember cookie should not be set if the user is logged in with remember=False. Or the documentation for that configuration option should emphasize that setting the option to True will cause a remember cookie to always be set.

Additional context I believe that the problem is caused by the fact that login_manager._update_remember_cookie will set the session["_remember"] to "set" if that variable is not set in the user's session and the configuration option mentioned above is also set. When calling login_user with remember=False, that variable is not set in the user's session at all.