I don't really care about the weaknesses in HTTPS. Sure, it may be bad, but unless I were to invent a new protocol (which would be incompatible with 99% of internet-devices) it can't be fixed by me.

For your proposed solution, the server would need to know the user's plaintext password; generally the server only knows the hash.

Is there a name of the solution you propose? Seems like a nice and easy solution, but I'd like to do some more research first.

edit: wait a minute. the server would need to know the user's plaintext password; generally the server only knows the hash. this doesn't make any sense.

It would be highly inconvenient to force the user to keep logging back in after 10 minutes of inactivity. It would have to be at least an hour for my use case. Voat, for example, allows me to refresh the page and remain logged in after a day or at least 6-8 hours. I think 2 or 3 hours is sufficient for an inactivity time-frame.

hashing passwords is expensive.

Ok. that is reason enough, my server is slow.

... vulnerable to a write only attack ...

How does using session cookies prevent this though? From its name, I can guess that session cookies are also cookies and would be vulnerable to the same problem.

im pretty sure that the scraping bot can be a shell script using curl/wget, sed, awk etc

does any1 want me to try doing dat or did some1 else already finnish it