In June 1994, Lou Montulli at Netscape needed to solve a shopping cart problem. HTTP had no memory. Every request arrived as if from a stranger. His solution, the HTTP cookie, gave servers a way to recognize a returning visitor. For the first time, the web had sessions: stretches of time where a server could treat a sequence of requests as belonging to one person.

But the cookie specification left something crucial unspecified. RFC 6265 says a session cookie expires "at the end of the current session (as defined by the user agent)." Duration? Unspecified. It didn't need to be. A human would close the browser. A human would walk away from the keyboard. Human behavior was the clock, and the protocol trusted it to tick.

That trust hardened into security guidance over the next three decades. OWASP recommends idle timeouts of 2 to 5 minutes for high-value applications, 15 to 30 minutes for low-risk ones. NIST guidance suggests terminating sessions after 30 minutes of inactivity. Banking settled on 15. The threat model behind all of it is physical: someone at a shared computer accesses private information, walks away without logging out, and a stranger presses the back button. The security boundary is a human body leaving a chair.

Nobody voted on 15 minutes. The convention grew from a reasonable picture of how people use computers, and it became infrastructure. So standard that OWASP's own community has debated since 2022 whether the windows are even right for humans anymore.

Now stretch that picture to an AI agent operating on the live web. It doesn't idle. It doesn't get distracted or take a phone call. It also doesn't operate one session at a time. Engineers in agent-orchestration communities describe wrestling with the problem of maintaining browser context across handoffs between different agents, passing cookies and localStorage between them so the workflow doesn't get interrupted by re-login prompts. The infrastructure designed to protect against a human walking away is now terminating sessions for systems that were never going to leave.

The friction goes deeper than dropped sessions. Idle timeouts assume a single user, one device, one sequential session. Agents create parallel sessions from multiple locations and need those sessions to persist across exactly the boundaries that security architects designed timeouts to enforce. A new infrastructure category is forming around what practitioners call "durable sessions," designed to survive disconnects, span devices, and outlive any single connection. Persistence built on top of a stateless protocol, using conventions calibrated for a user who would eventually close the tab.

The session lifecycle was modeled on a human lifecycle. Wake up, browse, idle, leave. Agents have something closer to a process lifecycle: start, run, fork, persist. The 15-minute window was a portrait of a person, drawn so accurately into the infrastructure that we forgot it was a portrait at all.