TLS doesn't address session fixation. (And certainly neither does CORS or the same-origin policy generally.)
Client fingerprinting (with cookies) does address session fixation. But but but didn't you just get through saying how wonderful your solution is because it doesn't use cookies?
If you're happy to use cookies and link them with server-side sessions, then just do that. (Just don't tell Roy.)
And when you need maximum performance, don't force the client to do multiple round trips.
> You only have to get that type of stuff once.
Most visits to public-facing web pages have a cold cache. Maximizing for warm-cache performance at the expense of multiple round trips for cold-cache performance is probably the wrong thing, but only A/B testing and RUM will tell you for sure.
Client fingerprinting (with cookies) does address session fixation. But but but didn't you just get through saying how wonderful your solution is because it doesn't use cookies?
If you're happy to use cookies and link them with server-side sessions, then just do that. (Just don't tell Roy.)
And when you need maximum performance, don't force the client to do multiple round trips.
> You only have to get that type of stuff once.
Most visits to public-facing web pages have a cold cache. Maximizing for warm-cache performance at the expense of multiple round trips for cold-cache performance is probably the wrong thing, but only A/B testing and RUM will tell you for sure.