Echoes

Echoes

The Weight of Being Logged In

HTTP was designed to forget. Every request arrived clean, carrying no memory of what came before. Cookies fixed that — a continuity patch so a shopping cart could survive a page click. But the session that grew around that patch quietly absorbed identity, permissions, purchasing authority, organizational roles. "Being logged in" became the web's most powerful bundle of trust, attached automatically to every action you take. The whole arrangement rested on one assumption so obvious nobody wrote it down: a human was at the screen. Now something else is.
The Weight of Being Logged In
HTTP was designed to forget. Every request arrived clean, carrying no memory of what came before. Cookies fixed that — a continuity patch so a shopping cart could survive a page click. But the session that grew around that patch quietly absorbed identity, permissions, purchasing authority, organizational roles. "Being logged in" became the web's most powerful bundle of trust, attached automatically to every action you take. The whole arrangement rested on one assumption so obvious nobody wrote it down: a human was at the screen. Now something else is.

The Fifteen-Minute Assumption

The 15-to-30-minute idle timeout is one of the most familiar conventions in application security. Its logic is straightforward: if a session goes quiet, the human probably left. Kill the session before someone else sits down.
OWASP's testing guide spells out the scenario plainly. A public computer, a user who forgot to log out, an attacker who presses the back button. The entire control is a proxy for physical presence. If the session is quiet, nobody's at the keyboard.
OWASP's own session management cheat sheet documents the gap, though: if something keeps generating requests, the timer resets and the timeout never fires. They wrote that about session hijackers. It also describes every web agent ever deployed. An agent conducting a multi-step workflow produces activity continuously. It has no idle state.
So the timeout was never really measuring intent or authorization. It was measuring whether someone was still physically sitting at a desk, which is the one thing a machine will never stop doing.

Two Paths to Identity

The Cookie's Long Silence
Lou Montulli's 1994 shopping-cart fix became the web's default identity bearer. Thirty years of security patches constrained how cookies travel. The question of who is steering never came up. Now browser-based agents inherit every ambient permission a cookie silently carries. The server on the other end receives the same headers it would from a person, because the cookie was never given a field for "who is driving."

The Token That Learned to Name Names
OAuth emerged because giving a photo-printing service your full password was terrifying. By 2020, RFC 8693 had defined a precise grammar for delegation: who asked, who's acting, what permissions, until when. A vocabulary purpose-built for the moment an agent acts on someone's behalf. It's been sitting in the spec for six years. Almost no agent platform uses it.
Session Sources




Past Articles

Before 2008, Value-at-Risk gave banks a single daily number for market risk. Researchers published specific mathematical...

Daniel McCallum drew the first org chart in 1855 to coordinate a railroad. Within a century, every corporation had one, ...

A person sees a button and clicks it in half a second. The gesture is so smooth it barely registers as a decision. But l...

Visa, Mastercard, and Stripe are building agent payment infrastructure. The revealing detail is what happens when a purc...
