HTTP was stateless by design. Every request arrived at the server clean, carrying no memory of what came before. This was a virtue. It also meant that if a user added something to a shopping cart and clicked to another page, the server had already forgotten the cart existed.
The fix was modest. A Netscape engineer wrote a cookie specification so servers could recognize returning visitors. RFC 2109 formalized the mechanism with examples that matched the scale of the problem: a shopping cart that persists across pages, a browsing system where prior reading shapes later offerings. A continuity patch for a protocol that couldn't remember.
But cookies could remember a cart, and they could also remember a login. David Kristol's ACM history of cookie standardization noted that by 2001 cookies were already storing login information so users wouldn't have to keep re-entering credentials. It's hard to find the moment anyone decided the session should become the container for identity. It just did, because it was already there, already attached to every request, already the closest thing HTTP had to a sense of continuity. And identity was only the first layer. Over the following years, sessions absorbed access rights, privilege levels, organizational roles, language preferences, account state, purchasing authority. OWASP's session management guidance now treats an authenticated session token as "temporarily equivalent to the strongest authentication method used by the application."
One token carrying the full weight of who you are and what you're allowed to do.
RFC 6265, the cookie standard published in 2011, gave this accumulation a name borrowed from capability-security research: ambient authority. Authority exercised without being explicitly selected or presented for each action. When your browser sends a request to a site where you're logged in, it attaches your credentials automatically. You don't choose to present them. You don't think about it. The authority rides along with every click. RFC 6265 was precise about the consequence: cookies "separate designation (in the form of URLs) from authorization (in the form of cookies)," which means a request can carry your full authority toward a destination you didn't choose. The confused-deputy problem, formalized in security research decades earlier, arriving in every browser tab.
The entire arrangement grew around an assumption so foundational it never surfaced as a requirement: a human was sitting at the screen. The session didn't need to verify continuous presence because presence was the default condition of using a browser. You opened it, you logged in, you were there.
Now browser-based AI agents interact with web applications through the same surfaces, carrying the same ambient authority. An agent reaching a button on a banking site encounters a session that knows it was authenticated but has no concept of whether the entity clicking is the person who logged in, a script acting on their behalf, or something that wandered in through a prompt injection. A 2025 security study of a popular open-source browser agent found exactly this: untrusted web content could hijack agent behavior, leading to credential exfiltration. The session cooperated fully. It was doing what it always does.
The major agent platforms have noticed. OpenAI and Anthropic both recommend sandboxed environments, human confirmation for sensitive actions, minimal exposure to daily email and payment sessions. Reasonable precautions, all of them, and all of them workarounds for a construct that accumulated the authority of an institution while retaining the architecture of a shopping cart. The human-presence assumption was atmospheric, pervading everything without being encoded anywhere. And atmosphere is the hardest thing to retrofit.
-
Delegation vocabulary already exists: RFC 8693 defines OAuth token exchange with explicit actor claims and delegation chains, offering a formal way to represent that one party is acting on behalf of another, though ordinary browser sessions rarely use it.
-
RPA built the furniture: UiPath's mature automation platform distinguishes attended from unattended robots with dedicated accounts, credential vaults, and audit retention, showing what it takes to make non-human browser actors administratively visible.
-
Payments force the question: Mastercard's Agent Pay program introduces agentic tokens and registered agent identities for commerce transactions, an early attempt to make agent-mediated actions recognizable and contestable within existing payment networks.
-
MCP draws audience boundaries: The Model Context Protocol's authorization specification requires servers to validate that access tokens were issued for them as the intended audience, explicitly forbidding the pass-through of tokens received from clients to upstream APIs.

