No, there isn't a reason why a session cookie needs to remain constant forever. I think rotating the cookie on every request would be challenging (because, at any given time, there may be several requests active), but it's very easy to rotate the cookie every couple of minutes. Such rotation would mitigate all attacks that rely on forcing browsers to submit thousands of requests.
Web applications that use HTTP Authentication cannot be fixed in this way, because you cannot change the password regularly. Other protocols that carry plain-text passwords (after SSL) may be even more vulnerable, for the same reason. For example, authenticated SMTP may be the worst case if the attacker can consistently force an automated client to reconnect and try again.
Web applications that use HTTP Authentication cannot be fixed in this way, because you cannot change the password regularly. Other protocols that carry plain-text passwords (after SSL) may be even more vulnerable, for the same reason. For example, authenticated SMTP may be the worst case if the attacker can consistently force an automated client to reconnect and try again.