Forum OpenACS Q&A: Response to Cross Site Scripting FAQ (fwd)

One thing that there seems to be disagreement on is whether this vunerability is due mostly to the use of cookies, or to the use of javascript. Obviously javascript is the mechanism for transfering the cookies, which are later exploited, but maybe it is the cookie code itself which allows this to happen. If a site used basic or digest authentication only, this exploit would probably not exist.

Would it be possible to modify OpenACS to run without the use of cookies, at least in respect to how it applies to user authentication?