User settings that live client-side only wouldn't be a problem.
The challenge of cookies is how generic they are. Cookies can be used to store almost anything a server wants to store.
Authorization is an interesting challenge without cookies, but I do expect it could be solved in a way that is specific to supporting authorization without adding back a general key/value store.
> The challenge of cookies is how generic they are. Cookies can be used to store almost anything a server wants to store.
That's not a challenge. That's a benefit.
Anyway you didn't actually answer my question, so allow me: the answer is nothing. There is nothing about cookies that enable them to be abused more than any system that could take their place. Which is to say, the issue here isn't the technology, so a technical solution likely won't work without neutering the entire point of cookies.
The idea of 'removing cookies entirely' over just making it illegal to collect and share private information is... a bit crazy.
The challenge of cookies is how generic they are. Cookies can be used to store almost anything a server wants to store.
Authorization is an interesting challenge without cookies, but I do expect it could be solved in a way that is specific to supporting authorization without adding back a general key/value store.