Simetrical wrote:
Of course theoretically some of this might not apply
to bots, but why
do bots mind staying logged in through cookies, or at least POST
parameters?
It wa aded for dumb frameworks which only support GET (see
mediawiki-api-l). We could fix the session replacing by requiring a
token from the same ip but forcing people to use better ways might be
better. A token would prevent it from being cached, but not from having
the password on the logs.