Just because there is no shopping cart handy that does exactly what you want doesn't mean you should give up and start from scratch. You might find that it takes very minimal work to modify an existing one.

Nearly all major sites rely on cookies these days, so I think you may want to reconsider them. Size is not an issue, since the typical way to use cookies is to just store a short unique ID in the cookie and then use that to reference data kept on the server side. Nevertheless, session IDs in URLs work just fine and have been written about before on this site.

If by cross-server you mean working across a cluster of server machines (which you really don't need if you're only getting 50 hits a day!), then Apache::Session will work fine. You can use a database or dbm. If a database is truly out, then you have to use files shared on NFS or Samba. The MLDBM::Sync module supports this with proper locking, and Apache::Session does too, although I don't think many people use Apache::Session::DB_File.