TOTP-Based Session Cookies to defend against session hijacking

[abose]

Hi all,

I created a proposal to secure sessions with TOTPs. The proposal was discussed in WICG/proposals#204 but i don't know if that was the right place to discuss that topic. If this is not the correct please close the issue.

I have added a brief note below of the general idea below, and I'd love your thoughts on the same if this is any good:

Introduction

Web sessions typically rely on bearer tokens (cookies, JWT) that, once stolen, can be replayed indefinitely until they expire. Even short-lived cookies can be a risk if stolen. While 2FA/TOTP is commonplace at login time, there is no built-in browser support for automatically rotating per-request tokens using TOTP. This leaves session cookies vulnerable to:

• Session hijacking (cookie theft & reuse)
• Replay attacks in the token’s valid window

Proposed Solution

This proposal is for a new browser-managed TOTP storage and associated HTTP headers so that:

1. A server can securely provision a TOTP seed to the browser (via a special header).
2. The browser automatically rotates and injects a TOTP code with every request (similar to cookies).
3. This code is time-bound (e.g., 30-second window), drastically reducing replay risk.
4. The seed is stored securely(Eg. OS Key-chain), inaccessible to JavaScript (like HttpOnly cookies).

By doing this at the browser layer, we eliminate the need for applications to handle or expose TOTP seeds in JavaScript, reduce the chance of XSS-based theft, and create a more secure session mechanism.

---

2. Use Cases

1. Enhanced Session Security: Websites that want a short-lived, continuously rotating token. If an attacker steals a TOTP code, it becomes invalid within ~30 seconds.
2. Sensitive Operations: For YouTube sessions, banking, enterprise dashboards, or admin interfaces, continuous rotation reduces the attack window of a stolen cookie.

---

3. Proposed HTTP Headers & Behavior

3.1 Set-TOTP-Seed Response Header

A server sets a TOTP seed via an HTTP response header:

Set-TOTP-Seed: base32encodedseed; interval=30; digits=6; scope=session

• base32encodedseed: The TOTP seed per [RFC 6238 / RFC 4226].
• interval: How many seconds each code is valid (default: 30).
• digits: How many digits in each code (default: 6).
• scope: Defines lifetime or domain rules (e.g., session, persistent, Domain=example.com, etc.).
• Optional parameters could include algorithm (SHA-1, SHA-256), start, or expires.

Storage

• The browser MUST store this seed in a secure, origin-bound location, not accessible to JavaScript (similar to HttpOnly cookies or [WebAuthn] credential storage).
• If the site is https://example.com, the TOTP seed is only used for requests to example.com over HTTPS.
• Storing TOTP seed in system keychain will improve security posture.

---

3.2 Automatic TOTP Injection in Requests

For subsequent HTTP requests to the same origin:

1. The browser generates a fresh TOTP code (e.g., every 30s).
2. It appends a header (or cookie) to the request:

   TOTP-Code: 123456
   

3. The server validates the code server-side (matching the seed and time window).

Example Flow

1. Initial Login:

   HTTP/1.1 200 OK
   Set-Cookie: sessionid=abc123; HttpOnly; Secure; SameSite=Strict
   Set-TOTP-Seed: JBSWY3DPEHPK3PXP; interval=30; digits=6; scope=session
   Content-Type: text/html
   
   <html> ... </html>

2. Subsequent Request:

   GET /account
   TOTP-Code: 654321
   Cookie: sessionid=abc123

---

3.3 Rotation & Revocation

• Rotation: A server might issue a new TOTP seed at certain intervals or after suspicious activity:

  Set-TOTP-Seed: newSeedValue; ...
  

  The browser updates storage accordingly.
• Revocation: The server can invalidate the old seed on the server side. If the user reuses an older TOTP
  code, the server rejects it.

---

4. No JavaScript API

The default flow requires no JS API usage. This is safer.

---

5. Security Notes

1. Seed Storage: Must be at least as secure as HttpOnly cookies. Ideally, it should leverage OS-level credentials storage (OS keychain or like [WebAuthn] private keys do).
2. Replay Window: A TOTP code is valid for the specified time interval. Attackers who intercept traffic in real time could use a code within that short window.
3. Mixed Content: Must only work on secure contexts (https://) to prevent network tampering.
4. Phishing: Attackers could still prompt users to visit malicious pages. However, TOTP codes rotate quickly. Proper domain checks minimize risk.
5. XSS: Because seeds are never exposed to JS, XSS can’t read or replicate them.

---

6. Privacy Notes

• Fingerprinting: TOTP codes are ephemeral and supplement standard cookies, so minimal new fingerprinting surface(same surface as cookies).
• Cross-domain: Seeds must not be shared across domains unless explicitly allowed (like cookies with a Domain= attribute).
• User Awareness: Typically invisible to end-users, but must comply with existing privacy/cookie consent
  requirements.

---

7. Alternatives & Prior Art

• Application-layer TOTP: Storing seeds in localStorage, generating codes in JS.
  • > Susceptible to XSS or malicious scripts.
• Short-lived JWT + Refresh tokens: De facto standard in many SPAs, but still can be stolen if not protected
  properly. Refresh tokens are still long lived. Even with HttpOnly cookies, a stolen refresh token (e.g., via malware) can be replayed until it’s revoked or expired, which brings us back to your original problem.
• WebAuthn: Solves passwordless or 2FA login. Does not sign each request or handle session rotation.
• mTLS (Mutual TLS): Binds sessions to a client certificate. Strong security but complicated user flows.

This proposal focuses on a simpler, ubiquitous TOTP approach that is time-bound and easy to implement server-side.

---

8. Compatibility & Migration with Existing Session Cookies

This proposal is incremental and aims to work alongside existing session cookie flows, preserving backward compatibility. Specifically:

• Progressive Enhancement
  • Browsers that support TOTP-based session headers can respond with TOTP-Code automatically for each request.
  • On the server side, if TOTP-Code is present, the server validates it in addition to the existing session cookie.
• Fallback for Non-Supporting Browsers
  • If a browser does not support TOTP-based session headers, it won’t send TOTP-Code.
  • The server can detect its absence and fall back to traditional session validation (e.g., cookies or JWT).
• Incremental Rollout
  • During a migration window, the server can be configured to:
    1. Send Set-TOTP-Seed to supporting browsers.
    2. Accept either (session cookie + TOTP-Code) or just (session cookie) if TOTP is not present.
  • Once you confirm that the user’s browser supports TOTP by seeing a valid TOTP-Code, the server can bind the session to TOTP-based tokens going forward.
• No Breaking Changes
  • Existing logins, cookies, and session flows continue working for older browsers or for use cases where TOTP-based rotation isn’t needed.

This approach avoids forcing a hard cutover. It lets websites gracefully adopt TOTP-based session rotation while supporting a range of clients and existing infrastructure.

9. Open Questions

1. Exact Header Names: TOTP-Code vs. Sec-TOTP or a cookie approach.
2. Multiple Seeds: If a user has multiple seeds or intervals, how is that managed?
3. Algorithm Customization: Should we allow specifying SHA256 or just default to SHA1 for TOTP?

---

10. Conclusion

This proposal outlines a browser-native TOTP mechanism for short-lived, rotating session tokens. It aims to reduce session hijacking risks by limiting replay windows without the overhead or complexity of fully custom cryptographic flows in application code.

---

11. References

• RFC 6238: TOTP
• RFC 4226: HOTP
• WebAuthn Specification

---

12. Feedback

This document is a draft for discussion.

[abose]

Comparison with DBSC

The TOTP-based approach is significantly simpler to implement in both browsers and servers, provides equal or stronger security guarantees, and has the potential to become as ubiquitous as setCookie—all without the additional complexity DBSC introduces.
At its core, this approach leverages the time-tested TOTP algorithm (RFC 6238) to create automatically rotating session tokens without complex handshakes or dedicated endpoints.

Implementation Advantages

DBSC requires implementing a complete challenge-response protocol with dedicated endpoints for session registration and refresh. In contrast, the TOTP approach integrates in a few lines with existing session mechanisms. Server implementations can be as simple as generating a TOTP seed alongside the session key and validating incoming TOTP codes - requiring only a few additional lines of code to existing authentication systems.

For example, where current session establishment might look like:

sessionKey = random();
sessionDB.put(sessionKey);
response.setCookie(sessionKey);

The TOTP enhancement simply adds:

{sessionKey, totpSeed} = random();
sessionDB.put({sessionKey, totpSeed});
response.setCookie(sessionKey);
response.setTOTPSeed(totpSeed);

This minimal change brings in a better security posture than DBSC without restructuring existing authentication flows. So the barrier to wide spread adoption is reduced.

DBSC requires implementing a complete suite of authentication handshakes and dedicated API endpoints as shown in its high-level overview. This complexity creates a significant adoption barrier, particularly for smaller services that can't justify the engineering investment. By contrast, the TOTP approach achieves the same security goals with minimal implementation overhead, making robust session security accessible to every service.

Aspect	TOTP-Based Approach	DBSC
Browser-Side Complexity	Simple TOTP generation from stored seed	Requires key generation, challenge-response handling, queueing network requests till auth.
Server-Side Changes	Minimal (add TOTP validation to existing session auth flow)	More extensive (dedicated endpoints, challenge management)
Integration Pattern	Augments existing session mechanisms	Requires dedicated refresh infrastructure
Network Model	Non-blocking; passive rotation	May block requests during refresh operations
Developer Experience	Few lines of code change to existing auth systems	New authentication architecture components

Security Through Passive Rotation

The TOTP approach offers continuous, passive rotation of authentication tokens every 30 seconds (or at server-configured intervals). This automatic rotation happens regardless of user activity or network conditions, creating a more predictable and shorter vulnerability window than DBSC, which only refreshes tokens at cookie expiration or during specific refresh operations.

Security Aspect	TOTP-Based Approach	DBSC
Token Rotation	Automatic every 30 seconds(configurable)	Only at cookie expiration or refresh intervals.
Replay Window	30 seconds or configurable	Length of cookie validity period
Device Binding	Via device-bound TOTP seed storage	Via device-bound cryptographic keys
Connection Model	Connectionless (no challenge-response needed)	Requires session maintenance handshakes
Security Guarantees	Continuously rotating one-time tokens	Long-lived key with periodic verification

User Experience Benefits - Zero Performance Impact

The TOTP mechanism operates non-blocking, with no network requests held during authentication refreshes. This eliminates potential latency and jitter that might occur with DBSC's approach of holding requests during auth refresh operations. Users experience seamless security without performance penalties. Holding network requests will also be hard to do at the browser level and complicates DBSC implementation.

Adoption Path

For widespread adoption, implementation simplicity is needed. The TOTP approach can be integrated by developers with minimal security expertise, as it builds on how they handle existing session cookies and familiar TOTP concepts already widely used for 2FA. The approach is middleware-friendly and requires no special endpoints or complex handshake protocols, ideal for progressive enhancement of existing systems.

Adoption Factor	TOTP-Based Approach	DBSC
Progressive Enhancement	Works alongside existing auth with no changes	Works alongside existing auth with endpoint setup
Code Changes	Minimal - add TOTP generation and validation	More significant - implement challenge-response flow
Middleware Compatibility	Highly compatible with existing auth middleware	May require architectural changes to middleware
Deployment Complexity	Low - typically a few lines of code change	Higher - requires new endpoints and handling logic

Conclusion

DBSC use of RSA/ECDSA cryptography with complex handshakes may not be the the right tool for time-changing authentication needs. This mismatch makes DBSC more complicated than necessary - requiring dedicated /startsession and /refresh endpoints, challenge-response protocols, session identifier management, and blocking network requests in browsers during refreshes. TOTP is purpose-built for exactly this scenario to do this all passively- it's what powers 2FA worldwide and naturally extends to continuous session validation without all the extra complexity of maintaining dedicated auth infrastructure or modifying network request handling.

This TOTP based approach can also inherit certain postures from DBSC to make it more robust(Like using device binding of TOTP seeds and optional signed TOTPs to guard against compromised server session databases.)

While DBSC offers good security improvements, the TOTP-based approach provides a more lightweight path with potentially stronger security guarantees through more frequent passive rotation. By reducing implementation complexity while maintaining strong security properties, this approach could achieve ubiquity across the web ecosystem.