It's not just when you login. The authentication cookie can be stolen at any time.