Session management with Entity Tags

This technique gives a possible implementation for the CategoryBpCookies using Java technology although it can be implemented with several other technologies.

Java's Servlet API defines two mechanisms to track sessions in non-SSL communications: Cookies and URI rewriting. If client device does not support cookies and, due to security constraints, URI rewriting is not admitted, an ETag HTTP header with the following format can be used:

ETag: jsessionid/"0902200600056"

Its semantics is identical to this URI rewriting example (but keeping anyone from seeing session ID in the URI):

http://example.com/personal_info/address.html;jsessionid=0902200600056

Evidently, the use of an entity tag adds some security but not so much as, at last, session ID "travels" in plain text, although it is not shown in the address bar of the web browser/user agent.

Session ID is initially sent from the user agent to the server in an If-None-Match HTTP request header, then read from the header by the server and included later in responses (in ETag headers like the one previously seen).

Pre-requisites:

A servlet container

Implementation Steps:

Have a servlet container
Create an application implementing code samples in Yoko Kamei Harada's tech note:

General ETag and If-None-Match headers HTTP dialog is illustrated in CachingWithETag technique (although applied to caching and not to session management).