I want to create a simple long polling server in node.js where communication will be based on jsonp requests. I understand that client makes request and server holds response until some data are ready or certain timeout is reached, and then new request from client is made to keep the things going. Once the first request is made, session ID is generated and stored to keep the list of actively connected clients. Now how do I identify that any other request, after the first response from server to client, belongs to which client in my list of active connections?

I can imagine to do it like this: first response from server send assigned session ID to client, and then he is identified based on this ID when making next requests. But I think this approach can be easily exploited and vulnerable to identity theft.