Is this the expected behavior? Is it reasonable to expect the session cookie to be removed for my site when I close the tab first then the browser?
Apparently yes, this is expected behaviour, and no you are not reasonable to expect such a thing. The behaviour you are seeing appears to be a deliberate design decision in the way the browsers implement "session restore" functionality.
- See this Firefox bug from 2009 (eternalsession) Session restore can result in excessive session cookie lifespan that has many duplicates and no solution.
- Or this Chromium bug from 2012 Session Cookies not cleared when Chrome processes closed with a status of
WontFix
So, in short, I don't think there's anything you can do about this from the server side, no matter how awesome flask is :(