[users@httpd] Using SessionMaxAge without setting Max-Age in cookies?

[Niels Harremoes <Ni...@rm.bkvibro.com>]

Hi!
I am using apache 2.4, mod_auth_form and mod_session with cookie based sessions.
I would like my sessions to expire after 15 minutes of inactivity - so I set
SessionMaxAge 900

However, I also need my sessions to expire when the user closes the browser. Unfortunately, the cookie header sent looks like
    Set-Cookie: session=Private-user=someUser&Private-pw=thePassword&expiry=1386227882551049;Max-Age=900;path=/;HttpOnly

I have temporarily turned off SessionCryptoPassphrase for debugging - I know that I must turn it back on for production.
The problem is the ";Max-Age=900". This makes the cookie persistent in the browser, so that even if the browser is closed, the session will still be valid if a new browser session is started within 15 minutes. The requirement is that closing the browser will end the session.

Can I avoid the "Max-Age=900" and still have server-side session expiration?

I have tried using mod_headers to rewrite the set-cookie header:

Header edit Set-Cookie ;Max-Age=900; ;

This will rewrite the Set-Cookie header to
    Set-Cookie: session=Private-user=someUser&Private-pw=thePassword&expiry=1386227882551049;path=/;HttpOnly
as desired - but only the last one

But mod_session_cookie sends the set-cookie header twice - and apparently only the last header is being rewritten by mod_rewrite?
It seems like recent versions of Internet Explorer and Chrome will use the last definition, but I'm not sure I can rely on that.