[jcampbell1]

> Would adding a HMAC string to the cookie value not get around this issue?

That would do absolutely nothing. Here are the attacks:

1) log a person out by replacing the session cookie

2) make github slower by making all requests have to send a large amount of cookie data.

3) Log someone in to one of the attackers accounts. For instance I can create an account like `jResîg`, and log people into that account.

Adding an HMAC prevents 0 of 3. Moving github pages to a different domain solves all three problems.