So is the user session controlled by the cookie? If that's the case can't I just have the session expire when the cookie expires. In other words, set the cookie to expire in two hours and this will force a logout. Of course, this could annoy some people too. But its possible to have the session expire only if there is inactivity for a certain time.