[chrismorgan]

A proposal like this will never fully replace cookies: quite apart from inertia and largely-unmaintained systems, it’s much, much more complicated for servers to implement. Diffie-Hellman, CBOR, encryption, session nonces… now compare that to just generating a big random string and using that as a cookie value and as the session table primary key. The consequence is that—even if there’s a nice backwards-compatibility path and all the browsers implement the whole lot—major frameworks like Django or Ruby on Rails will implement it, but smaller things and roll-your-own things won’t, because they’ve already got something easier that works about as well.