One complaint I’ve heard about the HTTP/2 spec is that it doesn’t introduce a better persistence mechanism than cookies. While I think it’s not the place for a new version of the protocol to demand people rearchitect the way their apps work, I do think it’s worth throwing around ideas for new headers that could replace them.
What I’d like to see, as an alternative cookies, are UUIDs generated and managed per-domain (as in “same domain rules” domain) by the user agent, that are included in headers with each (secure) request: one for the current browser session, one for the device across sessions, and another class that could be persisted via another mechanism (ie. Chrome Sync) across devices.
Users could reset these at any time via the UX facilities they have for managing cookies right now (eg. clicking the icon in the address bar in Chrome). They could also choose to opt out of them on sites they don’t want to be tracked on, or to only explicitly enable them if they’re paranoid (the way that browsers like Lynx prompt for every cookie by default).
These headers could also be disabled for any cross-domain content so as to thwart framejacking and tracking (and enabled via request for explicit user approval in situations where they’re actually necessary - hence “Google AdWords wants to see your activity on this site” could be consciously refused by the user).
The idea of this header would be to initially provide a more appetizing alternative to cookies that developers could gravitate toward, leading to better UX around user sessions (since there wouldn’t be the inbuilt assumptions around support the way there are for cookies). As more of the web would move toward supporting one-way tokens like this, the old defaults around cookies could be deprecated and retired, the same way as how built-in pop-up blocking across all the major browsers made popup-based navigation wane to near-nonexistence over the course of several years (the idea being you would choose to “Accept cookies” about as frequently as you’d pick “Allow popups” today).