Simple answer ... there is no easy reliable alternative to: a. cookie b. Stick it in the request URL and/or data ... many alternatives in the details Basically, the session id must be sent from the client to the server with every request. If you use HTTP Authentication, the concept of a session is orthoginal to authentication as the authentication process is repeated under the covers with each request ... in most cases as long as the browser process remains active. If you implement authentication as part of your application (e.g., HTML forms based) then you can choose to associate successful authentication with some form of session OR you can mimic the HTTP authentication and resend the credentials with each request. Your choices may be limited by your choice of server, client, etc. On Wed, 11 May 2005, Florian Weimer wrote: > * Gaurav Vaish: > > >> "Authentication through forms" is not the way that HTTP authentication > >> works. If you would be doing HTTP authentication* > >> You do need cookies then or you can use a special 'session id' option in > >> the tag. > > > > I understand that and know how the HTTP Authentication works. > > > > All I was interested in was... whether there's some way, other than > > cookie or "session-ID" option (ugly parameter to URL) through which I > > can track the session. > > You could put the session ID in the domain name, but this is a bad > idea for various reasons. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf