It depends on your implementation. If you set it up correctly you can use session cookies (not stored). In today's Internet, it's hard to find ANY complex application that doesn't require session cookies. Try logging into any Google app, or running many
J2EE webapps without them (e.g.
Tomcat tracks browser to session object using them).
Granted there are ways to "rewrite" the URLs with sessionID information on them. But this is a lot of extra coding/checking. It also makes for a lot of possible "bugs" to track down when the special coding is forgotten.
You combine this with the fact that session cookies are not a spyware or other security risk since they disappear when you shut the browser down, it's not so "onerous" to require people to turn this on. (If they already haven't for other applications they run).
[originally posted on jforum.net by monroe]