Without either Session Tracking or SSL, the container wouldn't be able to identify you between separate requests.
To get round this, you can use:
Session Tracking - you probably know all about this.
SSL - Used for "confidentiality", and so it means that unauthorised people should not be able to access the data. If the container is maintaining this secure connection, then it will definitely know who you are.
i think with form login we can't do the url rewriting for session tracking since action attribute has the value of j_security_check.so we need to resort to ssl+http or cookies way of tracking a user.therefore form based login can't be used without htttp+ssl and cookies enabled.