In the current world, what other options are there for stateful sessions?
- hidden fields? (loses for HREFS)
- per-remote-host state? (works until aol.com is the remote host)
- magic cookies? (non-standard, but common)
I like Kristol's proposal, but without that, messing with the URL seems like the only way to go--- it's certainly not "always wrong".