OK, I stayed off-line for some time and left some open topics and also left the 'Show unread posts since last visit.'
Refreshing the topics I left open, didn't cause a refresh to the index.php.
Refreshing the 'Show unread posts since last visit.' query results in a refresh to the index.php.
Ok, "some time", though really unspecific, seemed to be enough since at least once it did happen.
BUT, how did you test those 2 cases? Did it go like this?
1) You left some open topics and also left the 'Show unread posts since last visit.'
2) You waited some time.
3) You refreshed the 'Show unread posts since last visit.' query results in a refresh to the index.php.
4)
Immediately after the previous step (within 1h), you refreshed the topics you left open, didn't cause a refresh to the index.php.
Is this how you tested? If yes, you missed this: "NOTE! After you've refreshed one tab, the second (or 3rd, 4th...) tab when refreshed stays on the current page (which is expected)." I guess that's what happened. You can only test 1 page/topic at a time, then, to test another page/topic, you have to wait another 1+ hour (or kill the cookie).
Well you only need cast your mind back a few weeks to the fact the forum got hacked and was off line for a couple of weeks to investigate how to better protect the forum/user information. This external authentication was one of the measures to prevent this information being stolen (not on the forum server).
So for whatever reason if the forums were hacked this kind of information wouldn't be available for harvesting.
And? I fully understand what you're saying, but the ext. auth. security aspect doesn't really relate to this forum annoyance. I've done my share of web developing and I can say for sure (even though I don't know the inner workings of the system) that this annoyance could be coded differently, i.e. redirecting users to the page they were on after the authentication is done.
And besides, for all I care, from personal point of view, let forums get hacked, ok, it's an annoyance, but nothing else to me, I don't condone it no, but I'm not that dumb to e.g. use the same passwords for different sites/services. And for somebody gleaning my email address? Well, if you operate in internet, it's a lost cause anyways, it's going to go to a lot of "lists" even if you are really conservative about where you do put it in. Different emails for every need? No thanks, it's not possible. My 2c.