Back in 1995, I helped build a web site, with *no* cookies, that allowed us to ingeniously track sessions, figure out which users were which, such that I was able to tell a friend "you visited the site on August 8th and stayed for 10 minutes, and came back on August 25th and stayed for 15 minutes." No cookies. Just programming, URL manipulations and tricks of navigation. The problem of privacy is in *no way* related to one particular technology.
Cookies are a perfectly fine technology which, when used correctly (the way ACS does), does not engender *any* additional privacy concerns. The problem is that the press has latched on to the idea that "using cookies violates your privacy." In fact, unless you check the box "remember my login" in ACS/OpenACS, your cookie will only last the duration of your session, which inherently means that you are no more at risk than with URL manipulations.
As for using the SSL session key as a unique identifier, my crypto background forces me to cringe at the thought that a session key would ever be visible to any part of the application. That is *not* a solution.
I'm happy to hear complaints, suggestions, and anything else. However, the cookie-free ACS is not a priority today, as it solves no significant problem. If it is a priority for you, and you code up a clean, decent, unintrusive solution to it, we will be more than happy to include it in the distribution. However, calling us "short-sighted" isn't really going to get you much sympathy.