You wouldn’t want to set the cookie using Zend_Session::rememberMe() on each access. The reason for this is simply because each call to rememberMe() causes a new session id to be generated and the cookie is replaced by one with a new id. Data from the old session is copied to the new one and the old session is deleted.

Although no real harm would come out of this, there is overhead involved in doing this on each request. According to Zend, it is best practice to call this after the session has been started.

Also, if you did this unconditionally on each request, the only way you can differentiate between an automatic login after extended time and casual browsing would be to store the timestamp in the session and check it at the beginning of each request and set a time limit to determine a person as having gone away.

Instead, you could do this when a returning visitor goes to your login page to log in; you could then redirect them and they would be logged in without authenticating.

Or, if you want to update the session cookie periodically, you could call rememberMe() in your Bootstrap.php file after you have started the session. If you start the session from a plugin, or directly in the controllers, you should put the remember me call there after the session starts, and do it every so often (at your discretion).

See session_regenerate_id() which gets called when you call Zend_Session::rememberMe() and Zend Framework – Session Identifiers, as well as the following section on Session Hijacking and Fixation.