I have to respectfully disagree with varian. Any of the options can work depending on your requirements. IP logging may be good enough if you don't expect your users to be on the same host. You could also try refining this option with a combination of IP and remote port. The user id will work if you require each user to have their own account. Granted, you probably could not prevent two people from sharing an account without your knowledge.

In addition, my first two options can also present problems. Fat urls can pose problems for users trying to bookmark a page. Using a form may not be workable for your page layout.

The point is that none of the available options is perfect - they all have pitfalls. You need to decide which option will work best for your application. You could also try a combination of methods. On one site I use a combination of javascript, cookies and IP/port logging with server side testing. If nothing works the user gets sessionless access with reduced functionality. Many e-commerce sites also use a combination of methods. Amazon.com for example uses a complex technique involving cookies, fat URLs and redirects.