Definitely keep the shopping cart separate from the session. Transient data like the user's ID and login status go in the session. Data that applies to multiple users or lasts longer than the current browsing session never goes in the session.

By the way, cookies are not more secure than URLs. They are passed as plain text, and anyone who has access to sniff packets on the user's local network can grab and use either. Cookies are passed (from the client) on every request.

If you want sessions that are more than just "hard to guess", use an MD5 hash with a secret password on your side as part of the cookie, to verify that the cookie data actually came from you. This does not prevent people from sniffing the cookie off the wire, but it does prevent them from using a brute force attack to guess a valid session ID.