I think cookie-based sessions is great for many cases. But in some cases, it might not be desirable as clients can see what might be secret information.
Why not both? Maybe, two types of sessions, client-side and server-side sessions. Although both client and server side sessions are meant to maintain states, they are appropriate for different things. --
