Smartys wrote:
Jansson: I don't think that's why, becaused a leaked PunBB cookie is potentially much worse than a session ID (a session ID needs to be kept active: if the user doesn't change their password the cookie is always valid).
Under what circumstances would a cookie be leaked? The only way to do so would be physically gaining access to the user's box, and in which case, losing your password is the least of your concerns.