User blog comment:TimmyQuivy/HTTPS Next Steps: URL Changes for International Wikis/@comment-35982440-20180722042133/@comment-27345308-20180723224406

I wasn't saying our cookies couldn't have been stolen, but once you authenticate your username and password aren't saved in your cookies. Yes, somebody could have stolen our login sessions through our cookies but the account credentials weren't put at risk and users were most certainly able to recover the access to their accounts anytime if session stealing occurred.