I know what you mean...
I'd always read their previous guidelines as meaning that session cookies would be covered, which as an ASP.NET developer worried me because cookieless sessions make for very ugly URLs.
However, I notice that their banner warning/consent form states "one of the cookies [...] has already been set", and their privacy page now lists out the session cookie explicitly:
http://www.ico.gov.uk/Global/privacy_statement.aspx