You should definitely read my article on branding a browser with a cookie
In there, I say something like: do not use the presence of a cookie to indicate a logged-in state, because the browser is free to ignore your requests to remove the cookie or expire it after a while.
Instead, simply ignore that particular cookie if it's sent in the future. This means you should use a cookie only as a key to a server-side database which shows the current state of logged-in or not.
-- Randal L. Schwartz, Perl hacker