In a friendly environment (say, a small trusted intranet), hidden CGI params can hold small amounts of data. They aren't secure, and you can't put reams of data in them, but are often convenient for small projects.

I'd generally vote for option 2, DB tables. Then the script just passes a session id (say a random 30 digit string, to prevent session-stealing by guessing ids) and the server can retrieve / update anything it needs related to that session. I wouldn't necessarily make the tables temporary (in the DB sense of the word) either: session data can be invaluable when analyzing how your site is being used. When table starts to grow too large, have a process roll defunct or ancient sessions out of the DB into inactive archival storage.

Just my two cents.