Currently I am working with Mason, and I store the session identifier in a cookie if possible, if not, in the url via a mason filter.
The session data is stored in a database table as a blob using Storable. For the users who use cookies, the page is bookmarkable/pasteable. For the others, well, it's kinda ugly.