I experimented/researched cookieless sessions and tried it on my website.
I expected the switch to cookieless sessions to be transparent but this isn'
t the case at all:

1) Forms based authentication doesn't work
I read that the Whidbey release will support this and you can make it work
today:
[url]http://www.codeproject.com/aspnet/cookieless.asp[/url]
Still, it's a showstopper for most websites

2) You can't use absolute links
I think developers use this lot (at least I do to make the link callable
from every place in the site, including other directories)
I can understand a bit why fully qualified URL's aren't supported but why is
it so hard to support absolute ones. Can anyone clarify this?
Again there is a nontransparent solution: Response.ApplyAppPathModifier

3) There is a major security risk
See:
[url]http://builder.com.com/5100-6387-1044869.html[/url]
And
[url]http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&safe=off&threadm=e5%24C9YK6DHA.2416%40TK2MSFTNGP 10.phx.gbl&rnum=4&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf-8%26safe%3Doff%26q%3Dcookieless%2Basp.net%2Baltern ative%26sa%3DN%26tab%3Dwg[/url]

No workaround possible I think


(I expected more from Microsoft but as always they will fix this after some
releases.)

My questions:
- Who uses cookieless state in a production website? Are you satisfied with
the results?
- Can someone, with more experience then me, confirm my 3 points (possibly
someone from Microsoft)
- Is there a 3rd party solution that makes cookieless websites a real
choice? (No app changes is meant by this)

For now I stay away from cookieless mode since it involves application
changes and a big security risk.

Please say that I am wrong :)