people are paranoid.....

a little unknown fact is session cookies.(at least w/ the developers i know....)
the user can turn them off and the developer can no longer use session variables.

you can use IP address to maintain state or even the MAC address of the user. this requires more work or course.....