In auth helper libraries, cookies have a session expiration time instead of living as long as the token itself

[scotttrinh]

If you do not specify an expiration, the cookie will expire at the end of the browser session (ie when the browser is closed). However, the browser I primarily use to test has a session-restore feature which has always restored the session cookie when the browser restarts so I've never noticed this behavior.

We should expire the cookie when the session token itself is set to expire.