Which mechanism is used to maintain a session state in the stateless HTTP protocol?

HTTP is stateless, so a mechanism is needed to recognize the same user across multiple requests. Cookies provide that by carrying a small piece of data, typically a session identifier, between the client and server. When a user authenticates, the server creates a session record and sends a Set-Cookie header with the session ID. The browser stores this cookie and automatically includes it in future requests, allowing the server to look up the correct session data and keep the user logged in without re-authenticating each time. CAPTCHAs verify human users, not maintain session state. Direct Timing Attack involves measuring response times to reveal information, not how state is kept across requests. A session fixation attack concerns how session IDs are managed and can be a security risk, but the mechanism that maintains session state itself is the cookie-based session identifier.