Login token cookies (set by MediaWiki core and by CentralAuth) have a 30-day expiration date, but we don't do anything to enforce that on the server side. If the goal of the relatively short expiration time is to limit the effect of stealing login cookies, we shouldn't rely on the client to be honest and honor the expiry date.
We could use something similar to Token::toStringAtTimestamp to issue tokens which include an expiration timestamp.