I wouldn't go as far as "Don't bother with cookie expiration.", but you're certainly right in that you can't _rely_ on "the browser" to honor them (or even actually be a browser).
I'd still recommend setting reasonable expirations, even if it's only to be seen to be doing the right thing. Far future expirations aren't useful (as you explain) and they only serve to make it look like you're "doing in wrong". (And, for the 99.9% case of non-malicious regular users, expiring the cookies normally saves the sever the effort of looking up the session state of an already expired session with a 2030 expiry cookie. Don't _rely_ on it, but take advantage of it working right under normal conditions.)
I'd still recommend setting reasonable expirations, even if it's only to be seen to be doing the right thing. Far future expirations aren't useful (as you explain) and they only serve to make it look like you're "doing in wrong". (And, for the 99.9% case of non-malicious regular users, expiring the cookies normally saves the sever the effort of looking up the session state of an already expired session with a 2030 expiry cookie. Don't _rely_ on it, but take advantage of it working right under normal conditions.)