Would a procedure like this not make sense?
1. Once someone enters the website a cookie is attempted "set".
This would make it so that the risk of someone "copies" an url with session id attached would be minimized since no session id would exist for most visitors(guests) , only for those who had cookies set to off and also have initiated an "action" on the website.
Security wise more checks could be added too if wanted/needed like checking the session id against ip and browser id so that that even if someone copied an url with session id attached they would not "hijack" another persons session.
Edited by toyicebear, 23 February 2012 - 11:00.