The idea is to use the session cookie in the client to authenticate against the web content served inside the local client. This way nobody gets asked for their credentials again if looking at another players statistics for example.