The webserver software that you are using should have cookies.
We use Apache Tomcat and I use the HttpSession object to store a unique session id that I use to access a server-side in-memory cache that contains all of the specific player info.
The basic idea is this: http://machinesaredigging.com/2013/10/2 ... sion-work/
If you don't have cookies, then you have to use an amalgamate of parameters from the request like: External IP, User Agent, Time Zone, SSL parameters, etc.
Like this: https://panopticlick.eff.org/
I had come up with the idea of building a unique fingerprint for each computer, based on various request parameters, but it really only works with SSL, Flash, or Java Applets.
In order for the username to be cryptographically secure, you need to use a cryptographically secure random number generator when creating session IDs, etc. For example, I use a cryptographically secure session ID using the SecureRandom class in Java to generate random bytes which I then convert into a Base64 string and include in the session ID, along with their public IP address, and the date in form (YYYYMMdd).