1. WAP devices such as phones/pdas that cannot take cookies
2. People who want to turn cookies off to avoid being tracked

IMO If I were to build a session management module that didnt use cookies, I would be putting the session id as a parameter, and rotating the sess_id each page view (to avoid replay).

This is a nice easy and relatively secure method that will slot in easily with CGI.pm and anything you may have written already, all you have to do is substitute the cookie value for the param value!