Is there any way of maintaining session IDs across requests without JavaScript other than cookies? My understanding is, the whole point of cookies is that they're automatically sent by the user agent, anything else that was stored (such as in LocalStorage) could only be used by JS scripts.
I don't know if I'm remembering right, but I seem to remember some early PHP framework or templating system, $_SESSION variables could be configured to use query parameters instead of cookies. So every link generated by the framework automatically inserted a "?SESSIONID=12345" at the end of the link. The backend translated this into the PHP $_SESSION object.
If your whole website doesn't use JavaScript and every request reloads the page, that reloaded page can contain current session id, right? Why do we need to rely on automation which does this thing, with known drawbacks, but can't do that ourselves?
> that reloaded page can contain current session id, right
Right, through cookies - unless you want to embed the session ID in every single link or button in the whole page. The way pages "contain" session data like that _is_ cookies! snapetom mentions embedding in query parameters, which while a possible solution, seems even worse to me, as it means sharing a link to the current page you're on leaks your session token. I'm really not sure I'm following what you're saying here.
