For a given https connection, each side can prove to the other that they have knowledge of the authentication cookie, without sending their part of that knowledge. There are probably many ways this could be done, and I am not going to pretend I know the best way, but here is one way. Each side sends random challenges as part of the connection establishment. Each side receives the challenge and encrypts it using the public key generated at the time of the authentication cookie establishment. The challenge response is embedded in the first http request and response. There is some overhead and latency, but next to the TLS/SSL, this is minor, and also reusing connection becomes more important, or other ideas like Google's Quic protocol make even more sense.