Tracking whether user is logged-in in a stateless web application?

If I wanted to enable users to log in and out, what would be some 开发者_开发百科good patterns of doing this in a stateless application?

Also, what are the top security concerns? I am thinking of doing this in Java.

Thanks, Alex

If you cannot store session data in user's browser (via cookie), this is probably very hard to achieve.

I'm not sure what you mean by "stateless" but if storing session key in user's browser is not possible, you can always send this "key" in the HTML you produce. This "key" will be something you randomly generate (random enough that nobody can easily guess it). The "key" is only known by you and the user. Whenever the user requests a new page, he needs to "POST" or "GET" this key as HTTP parameter if the user wants to be identified as logged in.

Security concern for this is that if you do this over non-secure (http), the network can easily be sniffed. If you do it over SSL (https) it is probably more secure.