> If you tried to do this before cookies, when people put a product into a shopping cart on the first page they visited, as soon as they click on anything else, the browser would think this was a completely new visit, and... well... your shopping cart would be empty.
It's worth pointing out that instead of cookies we could have gone with a system where the client (browser) kept a copy of all the state and returned it to the server on every request. The cookie-based session state management was chosen because it was decided it was too inefficient to pass the entire state back and forth between the client and server.
We could have also used server-side session IDs tacked onto URLs to maintain state.
Probably need to add some sort of "only valid for this IP/timestamp/user agent" checks internally to limit session replay abuse, but likely a solvable problem.
It's worth pointing out that instead of cookies we could have gone with a system where the client (browser) kept a copy of all the state and returned it to the server on every request. The cookie-based session state management was chosen because it was decided it was too inefficient to pass the entire state back and forth between the client and server.