Actually if browser used plain old smartcard cert off yubikey for client cert auth it would be prevented, but that's too PITA to use.

Well, if implemented right. Techically every ssl connection would carry user's identity so cookie with that identity wouldn't even be required