>>I think MS missed the boat by using the mangled URL as alternative. Having the cookie stored within normal payload data would have been better - even down to allowing new, encrypted non-diskable cookies to be updated via HTTPS:// rest without breaking too much other architecture.
>
>Yes, this is exactly my point. If it would have been simply added in the query string, I would have been ok with that. At first, this is what I thought it was. Today, when I started to look at this, this is where I realized "Oh, is that really what the URL would look like".

It looks like that on your browser (and may be visible in the same way in browser history) - but with https it's encrypted over the wire.
In that respect I don't see it as being any less secure than cookies.