HTTP state management without cookies?

[Paul Rubin]

Roy Madden <roy at linksheaven.com> writes:
> I'm going to try and dig up some stats for you, but from experience and
> research the population of those who do not accept cookies is very very
> small (albeit tend to be technically proficient and vocal online). I once
> worked for an online bank with operations in Germany, and we considered
> this issue *very* carefully before choosing cookies for our user
> interface.
> 
> A slightly larger population do not 'like' them, but of the 3 methods of
> maintaining session state they are the most secure option (waiting for the
> flames to start :) ) - if security is an issue for you, and the 'like'
> issue is a matter of user education.

I think a lot of people who don't like cookies mainly don't like
persistent cookies.  As long as your cookies are used only for the
current session, most people don't mind them as much.  Unfortunately,
browser interfaces for dealing with different kinds of cookies are
still clumsy, but MSIE has a setting to reject all persistent cookies
while accepting temporary ones.  You could suggest people use that
setting if they want to have web sessions but don't want to be tracked
over long periods.