I don't understand you, we already use sessions to store login when "Remember me" is not checked.
If you don't want cookies, you cant set $wgCookieExpiration = 0; which since 1.14 disables the "Remember me" option.

Do you realize that url-parameter-based sessions (as opposed to cookie-based sessions, which is what MediaWiki uses currently) will leave the session key in the browser's url history, no matter whether you click "remember me" or not?

tim987 wrote:

Alexandre Emsenhuber, Try this using IE7:

Click Tools, then click "delete browsing history" and clear everything. Close IE7.

Now open IE7, click on Tools, Internet options, Privacy, and slide to choose the setting "BLOCK ALL COOKIES", then go to bugzilla.wikimedia.org and Login with your email and password, then click on "enter a new bug", and you will see it will Log you out, so you will NOT be able to enter a new bug report.
This is because mediawiki uses COOKIES and if cookies are DISABLED on a web browser, you cannot login OR you will be LOGGED out.
Using Sessions works WITHOUT cookies. That's why I said use Sessions instead of cookies.

Another example, with your cookies STILL blocked, go to wikipedia.org, and login and it will say this:

"Login error.Wikipedia uses cookies to log in users. You have cookies disabled. Please enable them and try again."

Brad Jorsch, the Session key is DELETED when a user closes their browser.

URL-based session tokens are unsafe (they leak to 3rd-party referers and in cut-n-paste), disrupt caching, and are otherwise troublesome -- cookies were introduced to HTTP precisely to allow state like login sessions to be handled more sensibly than this.

MediaWiki does not and will not support URL-based sessions due to those problems.

If you are referring instead to HTTP authentication, that's even harder to deal with -- there's no native way to close a login session or forget credentials temporarily. We have no intention to support this either, though there are HTTP auth plugins available.