Jerry -- I didn't make this clear in my first posting. By making the session code look in both the cookie and URL for session information, session timeouts work correctly. With a redirect, the user can be given a new session completely invisibly to the user. This allows bookmarks to function completely normally -- the user just may have to log in again (which they'd have to do anyways).
As for URL hacking, if someone wants to do it, IMHO, they'll do it regardless of where the session information is. From my experience, the best place to put it is at the front -- anywhere else would require much more extensive changes to the ACS. As long as it's not 100s of bytes long, it shouldn't be a problem.
