>>Using 'cookieless=true' doesn't prevent you from using cookies - just means that the sessionId is in the URL not in a cookie. So if, for example, you wanted to store

>The "Thumbs Down" section of that page is really scary. First, because, this is broadcasted in the URL so anyone can see it or grab it by any means and use it after taking over the session. The URL syntax that this generates is also something that changes the way the URL are being recognized and managed. It seems to me that implementing this approach is more problematic than staying like actual. But, maybe I am missing something.

I think MS missed the boat by using the mangled URL as alternative. Having the cookie stored within normal payload data would have been better - even down to allowing new, encrypted non-diskable cookies to be updated via HTTPS:// rest without breaking too much other architecture.