This is an archive of an inactive wiki and cannot be modified.

Session management with Entity Tags

This technique gives a possible implementation for the CategoryBpCookies using Java technology although it can be implemented with several other technologies.

Java's Servlet API defines two mechanisms to track sessions in non-SSL communications: Cookies and URI rewriting. If client device does not support cookies and, due to security constraints, URI rewriting is not admitted, an ETag HTTP header with the following format can be used:

ETag: jsessionid/"0902200600056"

Its semantics is identical to this URI rewriting example (but keeping anyone from seeing session ID in the URI):;jsessionid=0902200600056

Evidently, the use of an entity tag adds some security but not so much as, at last, session ID "travels" in plain text, although it is not shown in the address bar of the web browser/user agent.

Session ID is initially sent from the user agent to the server in an If-None-Match HTTP request header, then read from the header by the server and included later in responses (in ETag headers like the one previously seen).


Implementation Steps:

General ETag and If-None-Match headers HTTP dialog is illustrated in CachingWithETag technique (although applied to caching and not to session management).

More on HTTP Parameters in the wiki

Back to BestPracticesList

CategoryJava CategoryBpCookies

Contributions to this wiki are governed by the W3C policies for Contribution to W3C' wiki on Mobile Web.