There are lots of shady tracking systems in the world and cookies aren't one of them: they are clear, user-visible, and in the user's direct control both in theory and in practice.
Tor isn't relevant to this. If you're using Tor to block cookies you're Doing It Wrong.
They are one technique. In, oh, 1996, we did this by simply generating a unique URL for each user. If you wanted to stay logged in you bookmarked it, and if you didn’t you... didn’t. It was right there to see in the address bar as well, no sly hiding it in HTTP headers.
> In, oh, 1996, we did this by simply generating a unique URL for each user.
That's certainly one way to do it, but you're not saying it's convenient or great for privacy, right? If the URL is the auth token, then there's no security. Typing URLs, sharing URLS, and bookmarking (logged in, logged out, shared links, server side rendering), all get problematic.