Session cookies never expires

[abompard]

trafficstars

According to the GssapiUseSessions documentation, the session cookies should expire according to the lifetime of the GSSAPI session established at authentication. I don't see the expiration beeing set in the cookie header:

$ curl -v -u : --negotiate https://fasjson.fedoraproject.org/v1/me/
[...]
< HTTP/2 200 
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< www-authenticate: Negotiate [...]
< set-cookie: ipa_session=MagBearerToken=UXmr[...]Gwo%3d;path=/;httponly;secure;
< set-cookie: 258ec7ac3fe42ca4f3a9165f864d24b3=50374418bc7687d83d82fe30a6c36ce4; path=/; HttpOnly; Secure; SameSite=None
< apptime: D=319790
< 
{"result": {"dn": "uid=abompard,cn=users,cn=accounts,dc=fedoraproject,dc=org", "username": "abompard", "service": null, "uri": "https://fasjson.fedoraproject.org/v1/users/abompard/"}}

My config file includes:

GssapiUseSessions On
Session On
SessionCookieName ipa_session path=/;httponly;secure;
SessionHeader IPASESSION
GssapiSessionKey file:/httpdir/run/session.key

If I look at the ipa_session cookie header sent back to curl, I don't see any Expires attribute. I think that may be why my long-running http client end up getting 401's: they keep the session cookie around when they should drop it.