Are there any good papers out there on theoretical replacements for cookies, a la @adambarth’s original Cake proposal (tools.ietf.org/html/draft-ab…)?
2
4
11
The subsequent origin cookie proposal (w2spconf.com/2011/papers/ses…, tools.ietf.org/html/draft-we…) is better-than-status-quo, but less aspirational. I’m looking for burn-it-down-and-start-over suggestions. :)
1
2
Would be interesting to turn it around and have the browser assign + send a unique ID per domain, server then stores what it needs server-side based on ID. User can rotate as desired. It’s essentially the iOS notion of advertising ID.
1
No more blocked cookies, or concerns server data is being stored on user devices, or annoying EU cookie notifications, etc.

Feb 3, 2018 · 9:57 PM UTC

1
Replying to @bilcorry @adambarth
I agree with the spirit of this kind of proposal. I'm less convinced in practice, given the value to developers of signed cookie values. Arbitrary session IDs might be a totally reasonable thing for advertising/measurement, but it seems to me that it's not enough for auth.
1