Expiration is an attribute of cookie. Attributes are not sent back to the server upon subsequent requests. A well-behaved browser will not send an expired cookie, but a malicious browser may ignore the expiration and send the cookie anyway. How can the server tell if the browser is actually honoring the expiration date it originally sent as an attribute of the cookie?
Is it as simple as storing the expiration date inside the cookie? Then, if the cookie is signed, the browser can trust that value and check it against its own clock.
NEVER. TRUST. USER. INPUT.
By USER, consider anything external to your application.
https://www.owasp.org/index.php/Don't_trust_user_input
For your particular case, yes, you can add a timestamp to the content of the cookie and sign that content, then check it serverside.
For example using https://secure.php.net/manual/en/function.openssl-sign.php