[awinograd]

I definitely agree with the premise that cookies are inherently insecure. With sessionStorage it's unclear to me if there's a clean way to send the secret with every http request. Does that mean binding to every link / button click event?

Also you mentioned this, but disappearing on tab-close makes it less of a drop-in replacement for cookies since that breaks existing behavior.

Interesting idea though! Enjoyed the read.

[CGamesPlay]

Presumably the ideal use case here is for primarily client-side applications. However, it's worth pointing out that you'd never need to bind to every element individually because of event bubbling:

    $('body').on('click', 'a', function() {
        this.href += getToken();
    });

[timtadh]

Probably not the best idea to just tack the token onto the URL. There is a reason that people are not generally using tokens on URLs in lieu of cookies for session tokens. A better idea is to add a parameter in the POST body. This means that using this method all routes need a request body and you are therefore going to be mostly using POST in your API.

[albinowax_]

Agreed, definitely don't put a session token in the URL. I'd recommend using a custom HTTP header to transmit it - this way you aren't forced to use POST for everything.

[sametmax]

Don't. People will copy/paste links.

Better use an AJAX lib allowing a global override. Most of them allow it including the one in jquery and angular.