I don't know why you threw the baby out with the bathwater. The problem is that you want the cookies to be short lived and device bound because someone might intercept your e.g. JSESSIONID or if they can't read it, they might inject their own JSESSIONID through cross origin requests somehow.
Binding a session cookie to a device is pretty simple though. You just send a nonce header + the cookie signed with the nonce using a private key. What the chrome team is getting wrong here is that there is no need for these silly short lived cookies that need to be refreshed periodically.
Binding a session cookie to a device is pretty simple though. You just send a nonce header + the cookie signed with the nonce using a private key. What the chrome team is getting wrong here is that there is no need for these silly short lived cookies that need to be refreshed periodically.