Session Abstract: WebAuthn, OAuth 2.0, passkeys, ... the list goes on. We've never had so many tools to securely establish user and application identity while maintaining privacy and convenience. But we risk turning back the clock and squandering those gains when we tie it all together with a session identifier or simple JWT stored in a cookie. Still, browsers and HTTP clients offer few other options for securely proving identity over the course of a browsing session.
In this talk we'll go over the issues that cookies and bearer tokens present, detail some application-level mitigations, and address ongoing developments in browser- and protocol-level standards to fill this gap in our industrywide security posture.