Cookies with no expiration time are session cookies

I originally thought to define a Session cookie in a browser, you had to supply some sort of "session" token to tell the browser to clear it out once the session has finished.

As it turns out, a browser assumes a cookie is a session cookie simply by getting no expiration time in the "Set-Cookie" header.

Moral of the story, always set your cookie expiration times unless you intend it to be a session. Libraries often obscure this from, which is normally good but in this instance it lead me to believe something wrong.