Well you could do everything through POST variables instead - which will hide that - but its a lot more hassle.

I do that already, but remember, when returning from a process with a message (whether it's a validation error, or a success message) - unless you use a querystring that can be manipulated - there is no other way but a session or client cookie interaction to stealth this process. Reason: Forms must be submitted to post a value...and the server doesn't submit forms. ;)

When I go to the local shop, the storekeeper might recognise me. He may even remember what I usually order.

GS, you hit the nail on the head again. The truth of the matter is that personal interaction with another human being is a lot more risky than letting a webmaster temporarily store your session information. As for "tracking" cookies, again, SPYBOT kills them all along with nasties that are FAR more dangerous to your privacy than cookies.