Something else to consider is that you also don't want your session to be *only* time-based. People (using non N6 browsers) expect that when you close your browser, the session goes away. The fact that if you add an expire date to your cookie, you can't *also* have it destroyed when the browser is closed. So you may want to consider (as I have) a two pronged session:
- A cookie that expires in a given time frame (~20 min is good)
- A cookie with no timestamp, which the browser understands is to be destroyed when the last browser window is closed (except, as hackmare notes, on N6)
This requires the user to have both cookies to have a valid session.
It would also probably be worthwhile to point this issue out to the Mozilla crowd. They could possibly patch the browser to clear the session cache out when all windows are closed.