I don't understand the end to end argument then? I'd say it's a huge win for cleanliness that I never need to touch a buffer in my life, but can still build and deploy high performance web apps, because I can build on the Apaches/nginx/whatevers of the world.
Requiring users to log in in modern web stacks is indeed just a question of setting a flag, and it's done for you, you never need to know about, let alone consider encryption of, session cookies, so this is outsourced down the stack (and sufficiently clean for anything I can think of). Just not as far down as the HTTP standard suggests is possible.
