I guess there are many reasons why one wouldnt use cookies, however if they wont let you because of "grave security concerns" perhaps you could let them know it is perfectly acceptable in the wider session management community to use cookies to store session id for the purpose of keeping state.

If however you are not allowed to use cookies because your application will be used on WAP devices, then I'm afraid its sess_id's in the url for you.. :-)