If you disable cookies in your browser all you get are lots and lots of ViewExpiredExceptions, because the URL parameter that should propagate the session is missing.
While debugging I found that this is caused by Seam's rewrite filter:
It does the rewriting in those methods that are used to encode URLs, but then only ever applies the configured rewrite rules (if any), but never actually adds the session id.
I found an existing Jira issue and added some comments there.
Would be nice if this could be fixed soon.