As you've noted, the IP address isn't reliable. The two primary alternatives are Cookies (either session cookies or more permanent ones), or embedding a session id in URLs.

The advantage of using a Cookie is that you can maintain the session across static pages. The URL approach pretty much requires that all pages by dynamic.

My advice is to read up on cookies. merlyn has several columns that will help you get up to speed.