Schneier on Security: New, Undeletable, Web Cookie. On to the next round: ETags are evil! Since they can be arbitrarily assigned by the server, you can simply insert a visitor's UUID there, and on the next visit, the browser sends the content for checking for file changes (provided it supports conditional-GET, but that's true for all browsers today). The user has no control over the use of ETags - and it actually doesn't make sense to give the user this control - so it's very difficult to defend against this method.