If you don't store a leakable cookie on the client and only use a connection ID (which is autoassigned by the server and cannot be easily forged) then a lot of cross-domain evil hackery goes away.
I don't know what you mean by 'leakable' exactly, but you can already mark cookies as HttpOnly (not accessible from Javascript) and Secure (only transmitted over HTTPS).
"Leakable" in the sense that you can hand it to somebody else and they can actually use it.
A cookie is leakable because the client chooses to send it, so copying it to somebody else is really bad. A server-assigned per-connection ID is not leakable unless you can spoof the IP address of the one you're sending as.
In principle you could already achieve that by binding a session (and corresponding cookie) to the client's IP address. No big deal.
Problem you may have is that some clients are behind proxy farms and can arrive with different source IP addresses within the scope of a single session.
If you do not bind the 'server-assigned-per-connection ID' to an IP address they become just as 'leakable' as a session cookie.
Doing server side IP checks is already easy, but in reality it can lead to massive amounts of user complaints when their sessions keep disappearing, because as it turns out, some user segments have a lot of users coming through proxies where each request is not guaranteed to come from the same IP.
Of course, but the question is what that unique identifier denotes.
An IP address tells people who you are, where you are, and what you do.
A unique identifier ('+18El1iZRFCIiqRpfw4dJR8mXjJn2UxPrjwoRNpjSWg=' for instance) tells what you do without the who and where [1].
It's even possible advertisers could still target users based upon these identifiers, just without the background knowledge that makes these sorts of things privacy issues.
[1] I'll admit, it could be argued that the what can determine the who and where