In 1994, Lou Montulli needed a shopping cart to survive a page reload. HTTP was stateless by design: each request arrived with no memory of the last. A customer could select a product, click to the next page, and the server would have no idea who they were. Montulli's fix was a small piece of data the server could hand to the browser, which the browser would silently hand back on every subsequent request. He called it a cookie.
The original Netscape specification included expires, path, domain, and secure. It listed shopping applications, registration, and preferences as example uses. What Montulli and his colleagues reportedly rejected deserves attention: a single browser-wide unique identifier that would let sites compare notes about a user's browsing history. The cookie was scoped to a domain. It remembered you within a site, not across the web.
By 1997, RFC 2109 formalized the mechanism. It added attributes like Comment and Max-Age, distinguished "verifiable" from "unverifiable" transactions, and tried to build privacy awareness into the specification itself. Sessions, it said, have beginnings and ends, are relatively short-lived, and can be terminated by either side. This was still a world where cookies were understood as session tools.
Then the web outgrew the spec. RFC 6265, published in 2011, dropped the aspirational model that browsers had never adopted and documented what cookies actually did in the wild. Its security considerations section named the core problem plainly: cookies are ambient authority. The browser attaches them to requests automatically. Any attacker who can cause the browser to make a request to a target site gets the cookies for free.
The guardrails arrived one by one, each answering a specific failure mode. HttpOnly blocked JavaScript from reading cookies after cross-site scripting attacks demonstrated that injected scripts could harvest session tokens. The Secure flag, present since Montulli's original spec, gained teeth as HTTPS became expected rather than optional. But the most interesting intervention came in 2020, when Chrome began treating cookies without a SameSite attribute as Lax by default. Unlike the guardrails that came before it, this change rewrote the default itself, constraining cross-site cookie transmission for every site that hadn't explicitly declared otherwise. A quiet revision of the contract between browser and server.
Every one of these patches addressed the same underlying reality: the cookie transmits authority silently, and that silence becomes dangerous as the context around it shifts.
The context has shifted. Browser-based agents operate within the same cookie jar as any browser session. Playwright's authentication guide explains how to persist and reuse authenticated browser state through storageState, warning that the stored file contains sensitive cookies. When an agent loads that state, it inherits every ambient permission the cookies carry. The server on the other end receives the same headers it would from a person.
The cookie has no field for "who is driving." It was never designed to distinguish a human clicking from a script replaying actions from a model deciding what to do next. Thirty years of guardrails constrained how cookies travel, how long they persist, which scripts can read them. The question of who is steering the browser that carries them simply never came up. A mechanism designed to remember a shopping cart now silently authorizes actions taken by systems its creators never imagined, and as far as anyone on the receiving end can tell, it does so by doing exactly what it always did.

