(no title)

True, but in my experience, the major frameworks don't automatically lock out users with cookies disabled. For example, on a Rails app with no before_filter on the homepage, you can start the server and do this:

    echo "GET / HTTP/1.1" | nc localhost 3000