REMOTE_ADDR and REMOTE_HOST can be modified by the user. There is no guarantee that the value transmitted for these variables is correct. Therefor, these can be abused by someone attempting to gain improper discounts.
Storing an ID as a hidden on a page again leaves you open for abuse. This relates strongly to the recent rash of poorly written shopping cart systems being abused. The prices were being "hidden" in the HTML, all a would be abuser needed to do was: Save the HTML, change the price, hit the button -- Wallah! Pay $1.00 for a $100.00 item. Storing an ID for discount could be similarly abused.
Storing ID in a cookie, should be combined with sessioning to help avoid abuse. If the cookie value is indexed in such a way that it is only good for a period of time, the chance for abuse is limited. Possibly linked to IP or other identifying information as well, to make transference of the cookie ID to a different machine more problematic. This type of solution will probably lead you to have to "re-authenticate" the user periodically based on some business rules regarding latentcy and/or total visit time.
Please do not fall into the trap of believing a piece of sensitive data in a "HIDDEN" form field is secure or tamper-proof -- it simply is not, and has been abused significantly, regularly, and recently.