How to create session filter in JSF

Question

I found this post how to create user session filter based on session cookie.

Based of several tutorials I created this simple example:

    <filter>
        <filter-name>SessionFilter</filter-name>
        <filter-class>com.DX_57.AC_57.SessionFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>SessionFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <error-page>
        <error-code>401</error-code>
        <location>DX-57/SR-57</location>
    </error-page>

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

// ! Don't forget configuration in web.xml
public class SessionFilter implements Filter
{

    private FilterConfig filterConfig = null;

    public SessionFilter()
    {
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException
    {
        this.filterConfig = filterConfig;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
    {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;

        if (req.getUserPrincipal() == null)
        {
            req.getSession().setAttribute("from", req.getRequestURI());
            res.sendRedirect("DX-57/SR-57/Home.jsf");
        }
        else
        {
            chain.doFilter(request, response);
        }

    }

    @Override
    public void destroy()
    {
    }
}

Into the tutorial that I found session cookie is used to identify the user. But can I use for example browser id or something other unique to create and authenticate user session? What are the best practices in securing JSF applications?