Your rewrite processor would need to gain access to your internal application’s logic, or the user-session, and set the Language there. Unfortunately this system does not provide access to the current request – so you might have to use some trickery to gain access to the HttpRequest object (and thusly the HttpSession)… This might be an area where improvement is needed.
In addition to that, it would also need to intercept the ?lang=en_US parameter, remove it, and redirect to the resulting URL.
1. Intercept ?lang=en_US
2. Set value in User Session
3. Return new URL without parameter, causing a redirect to occur (assuming your rewrite rule has been appropriately configured. Read the full chapter on inbound rewriting to learn more about what I mean here.)