[tantek]for example, someone with multiple identities and respective github or other OAuth endpoints, could mistakenly login in as one somewhere where they intended to login as another if there was only a "simple" check of "do they have the logged in cookie on that thing over there"
