[kijin]

Good point, but your explanation is also a bit confusing. If I understand correctly, your point is not so much "don't bother with cookie expiration" as "don't trust cookies to expire when you tell them to". In other words, the server should double-check cookie expiration dates because you don't want somebody fudging your 7-day cookie and using it to log in next year. Am I right?

[WA]

Technically, the server cannot check cookie expiration dates, because they are never transmitted to the server. Only the cookie content is transmitted.

What I mean is: On the server, you receive an auth token that comes from the cookie. Do the logic whether or not that auth token is valid and may be used to re-authenticate the user on the server only and handle the entire logic for expiration on the server.

Do not rely on the fact that the cookie itself is present, because the user might have fiddled with the expiration date.

[j_s]

Implement cookie expiration server-side.

[jessaustin]

Would anyone be tempted to do this "client-side"? What would that even mean, besides what the browser does automatically? Or are we just saying, "don't trust that the client won't send expired cookies"?