If you are really concerned about security, then don't let the data out of your server!

Use some user (session) data stored the server (file, database, ...). Depending on the security required maybe encrypt that data too. (And when stored on the server, size does not matter as much.)

Have the session data identification tagged (signed with MD5 for ex.) and encrypted with a secret key (server only) to identify tampering. Include that in the URL.

---Lars