Or with session ID in URL. It's a valid mechanism - works reliably, is fast, and doesn't require special support in browsers. Remember the '?PHPSESSID=...' littered all over the early internet? Yeah that one.
Of course there are some caveats, which made cookies win in the end:
* it must be applied to every internal link in the website
* it's equivalent of a "session cookie" (no persistence after browser is closed)
* it's a privacy risk when sharing the URL via copy/paste
* it's subject to 'session fixation' attack (related to the previous caveat)
Presumably the last two could be fixed by an extra HTTP header or special in-browser handling of a designated parameter, similarly to how CORS got handled.
One problem. There have been at least three patent cases where this mechanism has been claimed to be subject to a patent. The litigants won in one, lost in two others (there may be more of these, I am only aware of 3).
How am I aware of them? I was a fact witness in these cases, and the reason I was a fact witness it that my employment agreement with Cadabra Inc., later to become Amazon.com, contains an addendum describing this technique and specifying that the company cannot attempt to patent it, since I had already implemented it while working at UWashington CS&E.
Apparently this was still not sufficient for the jury in one of the cases. Edit: none of the cases were solely about a session identifier, so to be a little fair to the final jury, it's not quite that simple.
You can also mitigate it by including in the session token something from the server side that is sent by the client as part of the HTTP request but not as part of the query, such as a hash of their user-agent.
I did something similar to this in the early 2000s, when setting a cookie lasting longer than 24h required approval from SECDEF: [0]
This was a cookie-less FTP-over-HTTP browser, where you had to agree to the terms of service, and copying the link to someone else wouldn't mean they agreed to the terms of service. It was just a prototype.
Or with session ID in URL. It's a valid mechanism - works reliably, is fast, and doesn't require special support in browsers. Remember the '?PHPSESSID=...' littered all over the early internet? Yeah that one.
Of course there are some caveats, which made cookies win in the end:
* it must be applied to every internal link in the website
* it's equivalent of a "session cookie" (no persistence after browser is closed)
* it's a privacy risk when sharing the URL via copy/paste
* it's subject to 'session fixation' attack (related to the previous caveat)
Presumably the last two could be fixed by an extra HTTP header or special in-browser handling of a designated parameter, similarly to how CORS got handled.