0.41 ignored session 'timeout', when setting session cookie & always set the cookie to expire with the browser session.

For some reason 0.50 sets the cookie to have a duration (always) and to set that duration to the value of session 'timeout'.

The problem is there is now no way to return to previous behavior and set a browser Session cookie. web.config.session_parameters['timeout'] must be numeric and must be > 0, as it is always used as the value for session cookie timeout.

If I set session_timeout to 0, login will always fail (because session is too old).
If I set session_timeout to 10, a user who is idle for ten seconds will have their session killed.
If I set session_timeout to 2 days, a user who is idle for two days will have their session killed (I can deal with that), BUT, because the cookie isn't a Session Cookie, it also means if the browser is closed AND A DIFFERENT USER ACCESSES COMPUTER they're logged in as the previous user.

This does not implement a useful "remember-me" feature, though it appears that was the hope.

Needed: some way to force browser Session Cookie.