[zacharyvoase]

Hi! Author of this proposal here.

I’m loving all the feedback and wanted to address some things:

* Yes, nonce tracking is expensive. HTTP request signatures could be used instead of nonces—they’re just not fully fleshed out yet, from what I can tell. And a lot of other crypto systems we rely on in Web traffic today also assume proper nonce tracking. Fortunately you only need to track distinct nonces per established session, so you could wait to allocate storage for them until the client actually tries to set up a WebSession, and use a Bloom filter to save on storage at the risk of some false positives for nonce reuse (could be risky if you’re relying on that as tamper evidence, but you could tune your filters accordingly).

* The stuff about the ergonomics of cookies and banners and auto-log-out as they currently are is mostly incidental. I’m just trying to paint a picture of how tighter integration of the notion of a ‘session’ into the browser itself could improve the UX we currently have today.

* Many people have pointed out that this is not stateless. Indeed! This is supposed to be a more secure way of establishing a stateful connection over a stateless protocol, for which there is already a demand which we’re meeting with the least secure possible method (bearer tokens sent in plaintext over the channel). Issues with scalability need to be addressed on the implementation side, but I believe the protocol is still sound and not inherently unscalable (no more than TLS in its current form).

I am going to look for opportunities to fold these points into the document itself, and maybe rearrange some of it so that these points get covered earlier and more clearly.

[Retr0id]

On the nonce-tracking front, what about a monotonic counter?

The client can generate the next nonce by incrementing the previous nonce value.

The server only needs to remember the highest nonce it's ever seen, for a particular session, and reject any new nonces less than or equal to it. O(1) in time and space, and no need for anything clever like bloom filters.

Edit: One issue I can see with this approach would be, what if requests arrive (or are processed) out-of-order? You'd perhaps want to track a small window of nonces to account for this.

[notpushkin]

> You'd perhaps want to track a small window of nonces to account for this.

Just send a signed UTC timestamp instead of a nonce. Make it valid for like 5–15 seconds to ensure it doesn't break if clocks are out of sync slightly – it will still be better than cookies that live practically forever.

[red_admiral]

Would this still work if the client opens more than one tab?

[Retr0id]

As long as you have some mechanism for synchronizing state between tabs, it should be fine. iiuc, the localstorage API is synchronised, for example.

[katsura]

Except if you have two almost simultaneous requests where the request made last reaches the server first.

[kardianos]

Noces are a non-starter for me.

You cite trivial issues such as setting flags on a cookie, then go on to require checking nonces for uniqueness. You know what most people would do? They would ignore the expensive nonce check.

This would turn this into an expensive client generated opeque token. How would you handle sites setup with sub domains?

Reading between the lines, it sounds like you want a alternative session method so legislation can force disallowing all cookies and tracking, or blanket ignoring them client side.

[dcow]

I found Big Cookie. I mean seriously sitting in-front of you is a proposal that’s objectively better than session tokens in a cookie jar, where the nonce portion could be entirely optional at the expense of allowing replay attacks, and you call it a non starter. You’re just looking for reasons to not be secure at this point.

[kardianos]

Trying again to be more constructive, rather than having a nonce, make the nonce meaningful, so there is a time component, such as seconds from initiating the session, and a validation portion that shows this came from the session function and attests the time portion is valid.

Then nonce storage, if you do it, can be limited to window when it is valid.

[dcow]

Yeah clocks might be a necessary evil that makes storage-free nonces a reality. Feels like a plausible compromise.