Just to add to what mcdave said, if you are in an environment where no cookies are allowed then surely your users are aware of this so it's fair enough to tell them that opening a new tab or whatever won't work. I don't really understand why they would do this unless they knew how to construct the correct URL. Maybe they know the IDs of what they are looking for and want to tack that onto the end of the generic URL? If so then if you put the session id parameter before all other parameters in your URLs then the browser's auto-complete function will include it before the bit the user wants to replace - just might work.