Presumably it puts a cookie on the user's computer, does this cookie expire after a certain amount of time? Or does it allow the user to be logged in indefinitely, unless they manually log out?

Yes it uses a cookie and by default it is set to 90 days. The relevant code if you're interested is in Member::logIn()

Interesting, I'm on 2.4.1

I have clients calling me nonstop about this bug and this is the forum post that comes up in Google trying to track this down.

It's documented in Trac:
http://open.silverstripe.org/ticket/6646
and over at github
https://github.com/silverstripe/sapphire/commit/ef6432d6476cbd47d91f52128c1d76a976881f59

Basically there is a typo in Member where the RememberLoginToken is updated correctly for that member on auto login, but the old token is written to the cookie again (the cookie value remains unchanged).

The fix has been in place in trunk for 2 months (!) so I guess it's going to make it's way into 2.4.6 when it's released. If you can't wait that long then here is the patch:

=== modified file 'sapphire/security/Member.php'
--- sapphire/security/Member.php 2011-05-10 06:57:10 +0000
+++ sapphire/security/Member.php 2011-07-27 07:53:57 +0000
@@ -399,7 +399,7 @@

$generator = new RandomGenerator();
$member->RememberLoginToken = $generator->generateHash('sha1');
- Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, false, true);
+ Cookie::set('alc_enc', $member->ID . ':' . $member->RememberLoginToken, 90, null, null, false, true);

$member->NumVisit++;
$member->write();

Hopefully this will help those like me who track this down via Google.