from Hacker News

I had this idea for a few years already and now I also managed to implement a proof of concept for it: instead of relying on cookies or tokens to identify a user, have a service worker intercept and sign all the requests to the server (with a private key generated when the service worker is initially installed).

The server identifies the user based on the public key corresponding to the signature.

BAM! no more cookie sessions, so no more sessions hijacking and session replay attacks.

I also wrote a blog post [0] detailing some advantages over the traditional session handling mechanisms, but I feel this enables endless possibilities.

Appreciate your thoughts&feedback!

[0] https://programming.tudorconstantin.com/2025/03/bulletproof-...