Discussion on:

Cookieless data persistence is possible using these viable strategies

This is a great article. Not only does the author carefully outlines the possible solutions, but he clearly states each one's pros and cons, as well as providing resources about each solution.

My only quirk? I think "hidden field" is a more accurate title for the "hidden form" section

Also, it would have been good to provide details for non-MS applications. Albeit you do mention Java applets, the truth is that PHP has been doing cokieless session management for a while now.

But all in all, this is very good!

Caveat regarding one technique from the article re: "If they don?t match, either it is a new session or someone is trying to hijack another user?s session (because the session ID matches but not the IP address, or vice versa)."

The caveat is... don't assume that because somebody's request is all of a sudden coming from a different IP address then it must be a hijacked session.

Some large ISPs use farms of proxy servers, and so it is possible and perfectly valid that a user's requests can come from one IP address one moment, then from a different IP address the next.