Another option is to maintain the state via some method on the server, and only pass a session ID to and from the client. You could use a hash key (and implement some caching mechanism so that they expire after so many minutes) to an internal memory structure (if you use a persistent CGI application), or a unique ID into a database table or a temporary file.

You could store this session ID in a cookie or as a hidden field.