So with a better system the malware has to wait an extra couple hours to get the password (by dropping the non-password authentication cookie and making the user log in again), and it can still prod Jira in the meantime. That doesn't strike me as a very big difference. It's an improvement in security but not a big one.