And no, "replace every single link with a POST form request" is not reasonable, starting with the issue that now you can't hit back.
Yes, you can. I regularly use a webapp where most links are driven with javascript, and the back button works fine both on links where they are and those where they aren't. This is kind of amazing given the general incompetence of the web app in question, like how actually doing that will at times lead to the creation of duplicate data because they apparently don't track whether forms have been used already. But that's not because they don't use cookies, because they do. It's just made by Accenture and they are generally fuckups.
Yes, if you encode the session ID in the URL there is a risk of leakage, but you don't have to do it that way. It's just an option, which I mentioned because it exists.
Want to tell me you can't do anything else I see working all day every work day?