basically they're saying that there are no truly secure ways to conduct e-commerce fundamentally caused by HTTP being a stateless protocol. To maintain state you have to use one of those methods which all have inherent problems

Cookies: user may turn them off. Varying browser support, sometimes patchy. User can easily delete them

URL modification: other people can hijack the URL, so they can pose as the person. They get to see any information intended for that person, which may include account/credit card info

Hidden fields: View Source is a developer's worst enemy

Session vars: Usually tie in with cookies or url modification. If access isn't correctly setup, other people can read them and hence get the information they contain. Also, the info is usually displayed to the user at some stage, which relates back to the URL hijacking.