That sounds dangerous. By sending the full cookie you're allowing yourself to hijack any of your user's sessions. That's a big security risk. Is there a reason why you need to "validate" someone's login? If someone wants to get notified about my comments, so what? There's nothing secret about it, they can just go to https://news.ycombinator.com/threads?id=gruez and get a live feed.
Also, your chrome web store page says "The publisher has disclosed that it will not collect or use your data". But you do collect and use users session cookie.
Really? Because I thought of one in the time it took to read this comment. Your extension has access to the page contents, which you can use to determine the username. It’s right in the nav. You can validate that it’s authenticated by a quick look at the profile link to see that it’s editable. Cache that boolean with a hash of the cookie for subsequent validation and you’re all done, without sending anything to your own server.
Why do you need a cookie at all? All the HN comments are public so once you’ve ascertained the handle you can query the API for any user to diff for changes.
