[porridgeraisin]

The only real advantage I see here is having a dedicated storage for session identifiers as opposed to clubbing it with other non-essential cookies.

Everything else in the proposal isn't really required.

Considering this, simply choosing a standard name for session cookies suffices.

Browsers can give an option to the user to rejects all cookies that don't have the name "WebSession". This is already achievable using extensions like uMatrix.

[lolinder]

The instant you implement that, then everyone will just start squeezing all the tracking information they need into the WebSession cookie. Plus, this isn't backwards compatible with all the existing servers that use custom names for the session cookie. PHPSESSID, session_id, etc.

[porridgeraisin]

It's already unique, so no need to cram more information.

About the backwards compatibility - the whole idea suggested in the article is that the user can block all cookies and use WebSession. That isn't backwards compatible with PHPSESSID either.

[extraduder_ire]

> everyone will just start squeezing all the tracking information they need into the WebSession cookie

Why would you need to put more information into the cookie if it's already unique?

[zacharyvoase]

I'd argue that doing proof-of-possession for state maintenance/session persistence, rather than simple bearer tokens, is sorely needed.