You just need to ensure that there's enough stuff coming from the browser that you can verify that they are who they say they are. That could be username+password, or randomly-generated-hard-to-guess session ID.

And remember, it doesn't have to be a cookie. See my previous post on making HTTP stateful.

-- Randal L. Schwartz, Perl hacker