LJ::did_post — Cookies should only show pages which make no action. When an action is being made, check the request coming from the remote user is a POST request.
When web pages are using cookie authentication, you can't just trust that the remote user wants to do the action they're requesting. It's way too easy for people to force other people into making GET requests to a server. What if a user requested http://server/delete_all_journal.bml, and that URL checked the remote user and immediately deleted the whole journal? Now anybody has to do is embed that address in an image tag and a lot of people's journals will be deleted without them knowing. Cookies should only show pages which make no action. When an action is being made, check that it's a POST request.