Kjell, unfortunately that would mean that everybody needs to disable HTML. Not very probable.
The issue here is that even with the most dilligent HTML parsing on your own site, somebody else can admit any kind of malicious HTML which would harm your page.
Jonathan, as to userfriendliness vs. security, I think the sudo solution provides for a good trade-off:
* You need to relogin only once in a while
* No expired pages
* And let's not forget: the changes are minimally invasive.
Another solution, namely adding session ids to all GET and POST URLs would mean gigantic code changes, expired pages, and clunky URLs.
