I have run into this issue: https://youtrack.jetbrains.com/issue/KTOR-5760 Isn't it a security problem that the server depends entirely on the client regarding session validity? Thanks.

cookie expiry is a client-side feature only, the server has no idea what the cookie expiry is beyond setting its initial value (it never gets re-transmitted). that's just how cookies work