>Do you know if that opens up any XSS vulnerabilities that either you, or UT users, should know about?
Not at all, this is the default for browser session state cookie, that is goes away once the browser is closed, unless, as mentioned, if Remember me is checked. I have been using that approach since 1993 now.