... or technology stack for compliant web applications.
GDPR among other includes cookies usage defining four cookie types: strictly necessary cookies , preferences cookies, statistics cookies, marketing cookies.
I am researching for a solution to develop a stateful web application without using cookies to avoid getting under the GDPR incidence. The application has to be deployable on clusters of web servers to accommodate heavy loads without using session cookies nor sticky session cookies. So far the simplest solution is a web application using JSON web tokens (JWT) sent via the Authorisation Bearer HTTP Header and an in-memory data grid (Infinispan, Hazelcast, Redis, Memcached or alike) storing JWT and user session pairs so the user session is accessible from any node of the cluster running the web application.
While sending the JWT from the server to the browser is straight forward I'm unable yet to figure a technical solution to send the received JWT to the server for any browser request (form submits, anchors, xhr). While I know HTML meta tag is a way to simulate HTTP response headers I wonder whether it could be used to send HTTP headers or whether there is any other HTML tag that when included in an HTML page source would result in sending an HTTP header for browser's request to the server or whether there are any other options.