Hi,
I tried this by disabling cookies in my browser and setting cookieless="AutoDetect" for both the forms element and the sessionState element. however this just doesn't work (what i mean by work is if cookies are enable then the url is unchanged, however if cookies are disabled then the sessionid is added to the querystring as per msdn docs). the only way i can get this to work is if i set it to UseUri which will add the sessionid to the url path regardless of cookies being enabled or not.
It isn't broken, but the browser doesn' report that it has cookies disabled back to the browser.
The browser will report what browser it is, and ASP.NET keeps a list of browsers and browser capabilities. This information is used to determine wether or not to use cookieless when using AutoDetect
From the sessionState page in MSDN:
If the browser or device supports cookies, but cookies are currently disabled, cookies are still used by the requesting feature.
If you're testing from your dev machine have you tried clearing cookies from your browser? There may already be a cookie in your browser that was put there before you disabled cookies.