I don't see why so many people hate cookies (or advise
not to use them).
I have the same problem here, I wrote a webmail app using
Apache::Session to keep track of users. The session ID goes
back out in a cookie, but all my coworkers said "Why the
I don't want to set up a FORM tag to provide some action -
users can click on a link to read a mail for instance. So,
if I put the session ID into the link (to get to it via GET)
and someone reads a mail with a link inside (URLs in mails
are getting autoconverted to links) and hits the link -
voila, the session id is stored on the remote server in the
referer log. Ok, this would work only for ten minutes (until
the session expires) but that was the way that gmx.de
was hacked - 1600 accounts lost their passwords.
Sometimes one doesn't get away without cookies trivially.