The Session Unlocks the Door. For Anyone.
After the password, the session takes over. It doesn't know who's holding it.
A few weeks ago I ran a command that made me stop. I was downloading a video using yt-dlp, a command-line tool, and instead of logging in I passed a single flag: --cookies-from-browser chrome. The tool reached into my browser, borrowed my active session, and acted as me. The platform never noticed the difference.
That flag is a small thing. But it points at something large.
Three things, not one
Most people experience logging in as a single ritual. You open a site, you prove who you are, you are in. But there are actually three distinct layers, and conflating them is how the weak spot stays hidden.
The first is the account: your identity registered in a system. Creating one is often deliberately friction-heavy — email verification, phone numbers, sometimes document checks. That friction is intentional. The account is meant to mean something.
The second is authentication: proving, each time, that you are the account holder. A password, a code sent to your phone, a biometric scan. This is the gate ritual, and it is where the industry puts most of its visible effort.
The third is the session cookie: the lightweight token the service issues once you have passed the gate. From that point on, the cookie does the work. You stop re-proving yourself at every door. The cookie says: this person already checked in.
The key card
Think of checking into a hotel. You book a room, you show your passport at reception, and then you get a key card. From that point on, the card does the work. It opens your room, the gym, the parking barrier. Nobody asks for your passport again until checkout. The elaborate front-desk ritual gives you a sense of security. But what actually carries you through the building is a small piece of plastic with a magnetic stripe.
Session cookies work the same way. You create an account, you authenticate, and the service issues a token. That token is your key card. And here is what I did not fully appreciate until recently: that card often sits as a plain file on your disk, accessible to any tool running on your machine. yt-dlp did not break into anything. It just picked up the key card I had left on the table.
The asymmetry
Platforms invest heavily in the gate. Two-factor authentication, device recognition, login anomaly detection. The entry experience has become genuinely robust. But once the cookie is issued, many platforms let it run for weeks or months. Some bind it to a domain, few bind it to a specific device or IP address.
That is the delegation problem stated differently: authentication systems were built around a single person at a single keyboard. The session token they produce was never designed to be transferred, borrowed, or held by an automated tool. Yet that is exactly what is happening, quietly, every time a CLI tool, a script, or an AI agent acts on your behalf using credentials you already established.
What this changes
For me, this sharpened two things.
The first is personal. I feel less secure online than I did before understanding this. Not because anything has changed in the world, but because I now see where the actual surface area is. The gate is solid. The key card is lying on the table.
The second is professional. Delegation across digital systems has always seemed technically hard. Giving an AI agent or a colleague selective access to act on your behalf without sharing your credentials felt like a problem requiring elaborate infrastructure. It still does, done properly. But the session cookie shows that a cruder form of delegation is already available, already working, and mostly invisible. That is not reassuring. It is clarifying.
The elaborate check-in was never the whole story. It was the part we were meant to notice.