I had this idea for a few years already and now I also managed to implement a proof of concept for it: instead of relying on cookies or tokens to identify a user, have a service worker intercept and sign all the requests to the server (with a private key generated when the service worker is initially installed).<p>The server identifies the user based on the public key corresponding to the signature.<p>BAM! no more cookie sessions, so no more sessions hijacking and session replay attacks.<p>I also wrote a blog post [0] detailing some advantages over the traditional session handling mechanisms, but I feel this enables endless possibilities.<p>Appreciate your thoughts&feedback!<p>[0] <a href="https://programming.tudorconstantin.com/2025/03/bulletproof-sessions-secure-cookieless-session.html" rel="nofollow">https://programming.tudorconstantin.com/2025/03/bulletproof-...</a>