[Patch] settings 'expires' attribute for Cookies should be optional (diff included)
Previous fixes to the cookie's "expires" (and not "max-age") attributes are not optional.
When the 'expires' flag is present, tested browsers (IE, Firefox) make the cookie persistent across browser restarts, and depend on that setting for invalidation. When the 'expires' flag is absent, the browser makes the cookie memory only, and destroys it when the browser process stops. When using HTTP based authentication, restarting the browser is often the only way to login as a different user, and as such, forcing the browser to destroy the cookie is necessary, otherwise, sessions live on into new logins.
Attached is a simple diff that allows for this by settings session_filter.timeout to 0.