Dr Cookie and Mr Token - Web session implementations and how to live with them