[kardianos]

Noces are a non-starter for me.

You cite trivial issues such as setting flags on a cookie, then go on to require checking nonces for uniqueness. You know what most people would do? They would ignore the expensive nonce check.

This would turn this into an expensive client generated opeque token. How would you handle sites setup with sub domains?

Reading between the lines, it sounds like you want a alternative session method so legislation can force disallowing all cookies and tracking, or blanket ignoring them client side.

[dcow]

I found Big Cookie. I mean seriously sitting in-front of you is a proposal that’s objectively better than session tokens in a cookie jar, where the nonce portion could be entirely optional at the expense of allowing replay attacks, and you call it a non starter. You’re just looking for reasons to not be secure at this point.