Forum OpenACS Development: Response to Login/Security tokens without cookies
We have the basics now, so we modify the request processor and security system to redirect users without the URL session information to a URL with session information. The cookie-reading functions are modified to read the URL session information when the ad_token_id doesn't exist. That's about it (IIRC) for a basic functional system.
Now for the trickier part -- making it work nicely. First, you can't detect whether a user does or does not have cookie support until the second page load so the first page visited always has to have the session information in the URL. However, after that first page, the session information should be omitted for users that support cookies. This can be done with another redirect in the security system. The downside is that this method requires something that can be recognized by ad_conn, so it can decide if the urlv0 needs to be stripped. I would simply prepend some random combination of letters that isn't likely to be used at the front of a URL. It's also wise to make this a package parameter. The other way to make this work nicely is to maintain the session information even when the user finds an absolute link. This is done by reading session information from the referrer header when its not present in the URL or cookie.
I'm planning on redoing this system for ACS Java when I get some time, and possibly writing an ASJ article about it.