Steal the creds by doing what, though? Most attacks could get their password even if it wasn't in the cookie.

And password managers have been plenty well known for a long time.

How do you get the password if it's not in the cookie? When it's in the cookies, any 3rd party script can swipe it.

	▲	Dylan16807 6 minutes ago \| parent [-]
		A third party script that's embedded into the task management website? Otherwise I don't see how it's going to get to the cookie. And if it is embedded into the website, it can force a fresh login and steal the cookie that way. And you can set HttpOnly to stop javascript from being able to access the cookie... but that still won't stop the attack of making them log in again.