I guess most websites nowadays are built using one of the myriad web frameworks out there (Django, RoR, you name it.) Most of this frameworks enable sessions by default, simply because it's what most websites will want if they manage any kind of state. Nothing nefarious about it.
> Most of this frameworks enable sessions by default
True, but in my experience, the major frameworks don't automatically lock out users with cookies disabled. For example, on a Rails app with no before_filter on the homepage, you can start the server and do this:
