Augustus said:
There's only 4 ways you can move the data around the site... GET (in
querystring), POST (in form object), SESSION (in session object), COOKIE
(write a cookie to their 'pooter)
What exactly you you thing this "session object" *is*???
I'll tell you: it's a user-friendly wrapper around cookies, usually with
the ability to drop back to using the query string for those browsers that
don't support cookies.
So no, the mysterious "session object" is not an option here because Leif
has already stipulated that he doesn't want to rely on cookies and has
some problems with the query string.
My advice to Leif would be twofold:
1. Provide an "e-mail this page to a friend" link. Make sure you have a
prominent "we will not sell your address to spammers" notice nearby.
2. Keep a record of the IP address with each session. If you get a request
for a session from a different IP address, then it's likely that this is a
different person, so redirect them to a different session.
This isn't foolproof, but it's a good start.
Even better would be to not avoid cookies: use cookies, fall back to query
string for browsers that don't do cookies, then implement #2 above only
for those browsers that are using the fall-back mechanism.