> But when you submit your user/pass and are logged in, a cookie is set on your browser, and then a private link with your page is sent back to you.
Not necessarily. Usually either the link is public (i.e. the same for everyone) and the session ID is in the cookie, or the session ID is in the URL (considered unsafe). This is the default behaviour of various Java application servers when cookies are disabled, for example (a jsessionid=... paramter is added to the URL). The "unique private URL" concept is then functionally equivalent to session IDs in the URL with sessions that never expire.
But when you submit your user/pass and are logged in, a cookie is set on your browser, and then a private link with your page is sent back to you.
To access the private link, you'd need to be authenticated by that cookie. And the only way to obtain the cookie is through a user/pass form.