[vmorgulis]

May be with an ETag:

https://en.wikipedia.org/wiki/HTTP_ETag

[bbcbasic]

ETag is for notifying that content has been updated, so how would you use the mechanism to log someone in?

[niftich]

You can exploit the fact that HTTP caching sends the ETag back and forth. A server can set a crafted ETag and basically use it as a session ID. See [1][2]

[1] http://security.stackexchange.com/questions/12679/how-can-i-... [2] https://github.com/lucb1e/cookielesscookies/blob/master/inde...