server side expiration of auth cookies are necessary for: logouts to be absolute password changes to be trigge logouts recover from cookie theft
Bug watches keep track of this bug in other bug trackers.