Forum OpenACS Development: Response to Login/Security tokens without cookies
Can you describe a bit more about what you mean by authentication and login? I can see how session ids can be easily encoded into the URL, but I would worry about placing a permanent, bookmarkable, user id representing an authenticated user into the URL.
The nice feature of cookies is that you can put a great deal of data in them (so that makes it hard for users to just try random cookies) and they are invisible: ignoring any security through obscurity benefits, that makes them a friendly UI.
I notice that Amazon has taken to moving query parameters, including session ids, into some odd lookings URLs:
And Tom Jackson has a tcl module for AOLserver that can be used to do something similar for AOLserver sites. I believe Saleonall.com is using his VAT module. If you visit http://saleonall.com/cat/input/keyboards/7063/onemfg.html you can see how his catalog is encoded into the URL and doesn't use the query field.
I am not sure what servlets are doing, but I hope to rsn.... And I would love to see this placed into the 4.x request processor and security handler....