Session cookies can be reset much more easily than asking a user to reset their password. Session cookies also aren't used on multiple sites. It's still a big deal, but leaking a session cookie is much less dangerous than leaking a password.
>Session cookies can be reset much more easily than asking a user to reset their password.
This statement is making an assertion about the behavior of vastly different software backends and the skill-set of the people administering the systems. Things that may appear trivial to you may not be for the sysadmin in charge of servers running healthcare applications that have an opaque internal state.
Lots of sites use session cookies. Many don't automatically expire them or rely on browsers to expire them (ex: signed cookies).
Plus rotating the master session key (to force the issue of all users being reset) requires knowing you should do it. By downplaying the issue, CloudFlare is sending the message that customers don't have to do anything.
