Yes, valid rant, I agree with you.

Even with AuthBasic you can't notify disconnected users, so I think the point is to be able to delete a cookie if needed, and thus force a user to re-authenticate. Or may be you discover a fraud and want to throw away a user...

I hope I understood that correctly :)

Ciao, Valerio

Update: what you said about double expires still applies.