How secure is the cookie handling? Is "Keep me signed in" safe?
I am an admin on a 2.1.10 forum (soon to be 2.1.11), and we had a user report a security vulnerability on the site, and I wanted to see how valid it is.
They claim that because the cookies don't expire with the browser session, that it's possible for someone to steal those cookies and use them to login to the forum and steal the account.
Is there any validity to this claim? Would removing the "Keep me signed in" option fix it?