[Qantourisc]

Cookies with an expire of session and secure flag set: yes. But this should be more secure, and stored for 1 session implicitly.

[jimktrains2]

And in theory less data, right? a session ID doesn't need to store the kilobytes that cookies do.

[yalogin]

Why can't there be multiple sessions for different functionalities? I am not sure people are going to relinquish the cookie concept. All the sessions are doing is have the "cookies" transported as part of the HTTP message and not as a separate file (payload)

[jimktrains2]

I'm not sure I understand you.

I'm talking about a Session-ID header that'd have a 128bit (say) max length or something. Not something that has a few kb limit like a cookie.

Also, a GET request wouldn't send a payload so I'm not sure what you mean.

[jessaustin]

Cookies are sent in the Cookie and Set-Cookie headers. No separate files.