In order to track user agent sessions, the BIS Request Handler places a Cookie in the responses that is sends to the user agent. The Cookie has a specific name, is associated with a specific URL, and contains the information that the BIS Request Handler can use to identify the session. When the client sends a request to the specific URL (or a URL containing the Cookie's URL), the client also sends the Cookie back in the request.

When the server receives this request, by default, BIS looks for a Cookie in the request to locate a session created by a previous request from the same user agent. When the BIS Request Handler receives a request containing the specially-named cookie, it uses the contents of the cookie to search for an existing session. If the session is located, BIS services the request using that session. If the session is not located, a new session is created for the request and the new session's cookie is included with the response.

The disadvantage of using cookies is that some user agents purposely disable cookies for privacy reasons: unscrupulous web sites can use permanent cookies to track the user agent's repeat visits over a long period of time. BIS uses only session cookies-a type of cookie that is automatically deleted when the user agent terminates-to avoid these concerns. It is also possible to configure a user agent to ignore session cookies. This will, unfortunately, prevent BIS applications from working with that user agent.