True story: the first web application I worked on didn't use cookies at all, not even for authenticated users. We just put the magic token in the url. It was amazing.

(Some customers really did love it. They could send each other links already logged in. They were very disappointed when we switched to cookies in the next version.)