i don't support cookie-less visitors on large sites. like you said, adding an urlSessionFormat() to every link/form/javascript redirect/etc. is hassle enough, but i remember it adding the variables to the URL scope even if i had cookies enabled on the first request after login or some such.

i do always check that the user is notified that he needs to enable cookies for this site every time his action fails because of it.

Where do you add it to JavaScript? I can't imagine that being necessary - outside of the HTTP calls done via Ajax.

depends, when doing a redirect via document.location or changing the "href" attribute via document.getElementById( 'aLink' ).href = 'index.cfm?event=eventtoload&Language=English'

Ah true dat.

I agree with Chris H. My company runs its own mid-range retail store online, and I get the support calls for the online orders. I can tell immediately if they are having problems because of lack of cookies, and I tell them quite simply that their browser is misconfigured.

Because, quite frankly, it is. Session cookies are just as vital to modern web browsing as the Anchor tag.

Modern web browsers allow you to turn off cross-domain cookies if you are really that paranoid. Any more than that is just silly.

I offer to walk them through turning them back on when possible -- some people have sysadmins that have disabled them on a network level, or via a cookie-cutting proxy server. In those extreme cases, I have a form email that they can forward to their sysadmins which explains how out of date the concept of cookie blocking is.

Same for people that turn off JavaScript.

"You must be this tall to ride this ride."

Like Rick O, I for most sites assume that visitors will be using javascript and cookies, but I tend to test for both and provide messages like, "You have javascript turned off and some features of this web site may be lost," etc. Nevertheless, I like to test things with javascript and/or cookies turned off just to make sure the ride is at least reasonably smooth, or reasonably good at explaining what they won't be able to do.

I guess it's a compromise situation, you must assume that the majority have both cookies and javascript.
When I was investigating this, I noticed that Amazon (probably the biggest on-line retailer) don't support a 'no cookie' situation, they simply warn users to enable cookies. If it's good enough for them . . .
Without the useful command URLSessionFormat, how do other languages get around this issue ?

Something you will notice after adding "URLSessionFormat" to your links and disabling cookies, when you run the W3C XHTML validation service:

"This page is not Valid XHTML 1.0 Strict!"

Why? The Function is placing "&" instead of "&". If you would really like to use it, you will need another Replace() around it - even uglier then before ;)

Or you could do it in a udf and just use the one udf for your links.

I just recently ran into this issue on an ecomm site I wrote. With the spectre of a huge re-write to support the paranoid mini-masses and experimenting with onrequestend(), getPageContext(),getOut().getString() and a regex to do url rewriting to add the sessiontoken. That ought to work for all the cfm pges with links, but I no idea how to handle all the ajax js files that are linked. Any Ideas?

If you make your JS files CFM files then you can use the same technique.

Of course - I have to ask - why not juse add urlSesionFormat to the links? That handles adding the links for you if cookies aren't enabled.

As far as changing Justin to cfm, I then lose the client side caching of the Js. Long term I will use urlsessionformat but will be rewriting most method calls. Need a quick turnaround solution for a production site.

Unless you have an absurd amount of links in your JS - would it take that long to use the urlSessionFormat? And the client can still cache CFM files. Look into cfheader to request the client to cache the result.