The cookie should definitely go away, so there's something wrong
either in Cookies.removeCookie, or in the browser, or in your code.
However, regardless of whether or not cookie deletion works, you are
being rather insecure if you don't send a note to the server to
invalidate the cookie. Just because the cookie has been eliminated
from the user's harddrive doesn't mean it's really gone. It could be
on a backup. someone could have sniffed it off the wire (in the case
of SSL, doubtful, but maybe you use a reverse proxy SSL solution and
someone is in the middle on your local net). It could just be someone
else that got a hold of a user's cookies.dat file. Either way, the
session ID is no longer valid even if someone magically comes up with
it again. You *NEED* to tell your own server that the given cookie is
to be deleted from the db/removed from the session store.