[bbcbasic]

ETag is for notifying that content has been updated, so how would you use the mechanism to log someone in?

[niftich]

You can exploit the fact that HTTP caching sends the ETag back and forth. A server can set a crafted ETag and basically use it as a session ID. See [1][2]

[1] http://security.stackexchange.com/questions/12679/how-can-i-... [2] https://github.com/lucb1e/cookielesscookies/blob/master/inde...