Let me tell you a story.
The host name is made up, but everything else is true.
-
PunBB stores the user name and the hashed password in the cookie. (It uses a different hash than the one in the DB.)
-
acmeshell.inc users can have their homepages, with PHP.
Once upon a time, there was a forum at http://acmeshell.inc/forum/. (It has been moved to another server since then.) The forum used PunBB, and even though it was in /forum/, it would set cookies with a path of /.
Cookie path was /.
User homepages were at /~user/.
Guess what happened.
/~joe/stealcookies.php?.jpg
No JavaScript was used.