Why not cookies be just there forever? Why expiry time is needed? Unless the app is very security critical (like banking) I don’t find a reason to expire the session. Why irritate user frequently with auth ?
Should I have session expiration (X dasys since session created, X days since lsat visit etc) for my normal webapp?