What are the main disadvantages and attack vectors of cookie-based authentication?
The genuine cookie weakness is the session cookie itself — steal it and you're the user. Separate that from two things people lump in but that aren't cookie problems: the choice of password as the login factor, and the burden of rolling your own account system.
1. The real session-cookie weaknesses (inherent to the model, and they apply no matter how you logged in — password, passkey, SSO, anything):
- Session hijacking — if an attacker steals the cookie (XSS, sniffing on plain HTTP, a MitM), they are the user, no credential needed. The cookie is a bearer token: whoever holds it is trusted.
- CSRF — because the browser auto-attaches the cookie to every request to that site, a malicious page can trigger authenticated actions unless you defend with
SameSite/CSRF tokens. - Session fixation and weak/guessable session IDs.
- Mitigations:
HttpOnly(blocks JavaScript/XSS theft),Secure(HTTPS-only),SameSite(limits CSRF), plus rotating the ID on login and short expiries.
2. Not a cookie weakness — the credential is weak. "Username + password is phishable/reusable/guessable" is true, but it's a property of the password factor, not of cookies. A session cookie issued after a passkey (WebAuthn) login is the very same cookie — so swapping the factor removes the phishing problem while the cookie mechanics are unchanged. Don't blame the cookie for the password's sins.
3. Not a cookie weakness — the implementation burden. "You must build sign-up, password reset, and protect your own hash store" describes rolling your own auth. With a framework this largely disappears: Laravel (Fortify/Breeze/Sanctum), Django, or an external IdP give you the account lifecycle, hashing, and session handling already hardened. You should not hand-roll this — so it's a reason to use good tooling, not an intrinsic flaw of cookie sessions.
Tip: Ask "would this still be true if the user logged in with a passkey and I used a framework?" If yes → it's a real cookie/session issue (hijacking, CSRF). If no → it's really about the password factor or your own code.
Go deeper:
OWASP Authentication Cheat Sheet — TLS-only login, generic errors, throttling/lockout against phishing/brute-force.
OWASP: Session hijacking attack — the cookie-theft vector spelled out (sniffing, XSS, MitM).