Comment 9 for bug 1179955

It's always wise to tread lightly where authentication behavior and the principle of least surprise are concerned. I don't think this warrants an OSSA, but might benefit from an OSSG security note with recommendations for how deployers can work around this shortcoming in production (whether that's clearing all active tokens or something more targeted).