>a URL parameter

I love those systems. Especially when the unwary users share links, accidentally letting other users into the site as them. Or when google indexes it, and in addition to terrible security, the site uses regular GET links to perform site actions, so google deletes the user's content or buys a bunch of stuff as them while walking the links it finds as it indexes in beyond the user's initial account bearing link.

lol. no.

Hey, I'm not saying it's a good idea. I'm only saying it can be done. I would very much prefer cookies.

Yes ASP.NET allows (allowed? Haven’t used it in years) cookieless sessions this way. The problem is it has to rewrite all the relative links on the page to ensure session state is not lost.

The problem is it’s makes urls horribly unwieldy if a user wants to bookmark or paste in links from emails etc etc, or writing JS to interact with links, not to mention the security issues of being able to accidentally share your session.

Possibly, yes, but not at all user friendly.

Those were great. I hung around a forum around 2004 where someone posted a link to jeans he just bought from a smallish online store - the URL contained the PHP session identifier. Thousands of people had instant access to his address + bank information + purchase history, and could place orders for him.

That's nice, surprise jeans! But yeah, I'm not advocating that, I'm only saying it can be done.

Implementing session handling as URL parameters makes no difference from a legal perspective. It will be covered by the law excatly the same as if one used cookies. It's the tracking the law is about, not the implementation of it. Your just picking a worse technical solution for no legal gain.

That's disgusting. And it's like saying roads aren't essential because cars can drive on dirt.

Would this mean that if you shared a URL with someone you would be sharing your session as well?

Yes. Some sites operating like that eventually tried to work around this issue by tying it to the IP, but you can see how that is hopelessly broken anyway.

Maybe it would work with ipv6...

That would break the "remember me" feature for sure, unless you explicitly bookmark the site with the get parameter attached.

It also poses a security / opsec issue if anyone non-technical wants to send a link to a friend / co-worker. You may compromise yourself.

If people share their screen people would be able to hijack the session too.

You won't be able to distinguish device sessions from one another reliably neither. Think of "log out all other devices".

These are what I can think of. There's probably a handful more reasona NOT to do that.

> You won't be able to distinguish device sessions from one another reliably neither. Think of "log out all other devices".

You could, I think. Passing the session ID in the URL is the same as storing it as a cookie. You can invalidate both in the server.

Link sharing is an issue, for sure. You could tie the session id to the IP, but that doesn't work when people share their IP, which is more and more common every day. IP tied session would work better with IPv6, though.

In WAP times there was no such feature as cookies available. I started programming by writing WML pages instead of HTML. Good memories from those times!

The website at my college we used to register for classes and some other stuff used this method. For whatever reason though, the logic was wonky, and the site would give an error if you used the "back" button in the browser, and you'd have to go back to the home page.

Sounds like a security nightmare.