I'm not sure you really need session or cookie step. I use
similar logic but instead use a hidden form field "step". Another
trick I use is a hidden form field "uuid" that is set to a matching
value in my session scope. This way, if they do not agree I reset
the entire process to the beginning. This prevents the "No expiry"
problem you mentioned that can sometimes be duplicated with
bookmarks or using the browser history to jump around.