Cookieless sessions are not supported in MVC 2 and are unlikely to be supported in future versions of MVC. See http://forums.asp.net/p/1517391/3738312.aspx for more information.

Cookieless sessions do work in MVC2, however, you cannot use POST as the method for the form submit. It only supports the use of GET. Also, all of the action paths on the forms need to be updated to the following pattern:

<form action="<%= Response.ApplyAppPathModifier("/SomeController/SomeAction") %>" method="get">

That will ensure that the session id is automatically passed along. This is the line needed in the web.config file to enable cookieless sessions:

<system.web>
    <sessionState cookieless="true" regenerateExpiredSessionId="true"></sessionState>
</system.web>

With those two above changes, everything worked!

If you are interested in a workaround for getting POST to work with Cookieless session and MCV2, I found the following page. Enabling POST in Cookieless ASP.NET This wasn't well suited for my project because I am not able to use JavaScript.

Microsoft Security Bulletin MS10-070 - Important: Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

If installed this update, check this KB.

Http.sys registry settings for IIS

Use cookieless session & form authentication auto insert this("/(S(...)F(...))/") Url path segment. Default UrlSegmentMaxLength is 260, but MS10-070 installed environment over this.I think it is a result for padding oracle.

Hope this help!