Cookie-Based Session Misuse

Session state gets stored or propagated via cookies/URL parameters, then breaks under server/client boundaries and browser cookie rules (httpOnly, sameSite, Next.js setters), causing auth headers or session variables to be missing or inconsistent.