Simetrical wrote:
Of course theoretically some of this might not apply to bots, but why do bots mind staying logged in through cookies, or at least POST parameters?
It wa aded for dumb frameworks which only support GET (see mediawiki-api-l). We could fix the session replacing by requiring a token from the same ip but forcing people to use better ways might be better. A token would prevent it from being cached, but not from having the password on the logs.