Currently the only solution (without touching code, that is) is to just drop the Set-Cookie header for xf_session on all other page loads besides /(login|logout), but that causes extra sessions to be created on every backend hit, and it causes an error when posting the login form as the session cookie is not set ("Cookies are required to log in to this site. You will not be able to login until they are accepted.").
At least IGN forums (running XenForo) are currently running on a cookieless setup, but I'm unaware of the way they have implemented it (they use their own login system which sets xf_session cookie when you visit ign.com/boards/ after logging in via s.ign.com first).
I suggest an option to disable the creation of new sessions for guest users / robots.
Alternatively I suggest setting xf_user cookie for all users that login, and just define the xf_user cookie as a session cookie if the "Stay logged in" isn't checked.
- Makes caching content on a proxy server a lot easier
- Reduces HTTP query size
- Possibly reduces server load even without a caching reverse proxy by eliminating the need for carrying unique sessions for guest users