This attack depends on being able to control the requests made; cookies are automatically added to the request, which makes them vulnerable. There aren't many times when you'll have enough control over a portion of the body to make non-cookie attacks viable.