Look carefully at the source code. Its bogus. Not the etags trick, but the demo itself.
The demo is actually just identifying users by hashing the REMOTE_ADDR and USER_AGENT, HTTP headers.
So it appear to work, when it doesn't really. Users with dynamic-ip or via proxies etc will often fail.
This is why it appears to work cross incognito windows. Chrome sends the same useragent incognito or not.
----
The etag trick is real. But DO need to use Javascript in the browser to extract the etag from the headers of the cached image. It doesnt really have to be an image. Just a request that can be made via XMLHttpRequest.
... or could set the etag on the page itself, and use the fact that the browser will send a If-None-Match on the next request. But only works for the one single uri, not all pages on the domain. The code appears it COULD be used to do that. But it never sets ETag http header on itself.
The demo is actually just identifying users by hashing the REMOTE_ADDR and USER_AGENT, HTTP headers.
So it appear to work, when it doesn't really. Users with dynamic-ip or via proxies etc will often fail.
This is why it appears to work cross incognito windows. Chrome sends the same useragent incognito or not.
----
The etag trick is real. But DO need to use Javascript in the browser to extract the etag from the headers of the cached image. It doesnt really have to be an image. Just a request that can be made via XMLHttpRequest.
... or could set the etag on the page itself, and use the fact that the browser will send a If-None-Match on the next request. But only works for the one single uri, not all pages on the domain. The code appears it COULD be used to do that. But it never sets ETag http header on itself.