Insufficient Session Expiration
EncryptedCookieStorage and NaClCookieStorage both lack proper session expiration. A user that has obtained a legitimate session can do a replay attack recreating their cookie (with the same value as the original) thus defeating the purpose of cookie expiry.