You could use fat links containing a session id. This would require dynamically generated pages.

No it would not. If you do not stick the sessionid in the query, but instead at the beginning of the path and the use relative URLs for whatever's supposed to know the session you don't have to tweak the HTML in any way and the browser will send the session ID along just fine:

http://www.your.site.com/ID:168F7E8A45EE/the/path/page.pl?the=real+par
+ameters
[download]

instead of

http://www.your.site.com/the/path/page.pl?ID=168F7E8A45EE&the=real+par
+ameters
[download]

What you have to do in this case is to tell your web server to extract the session ID from the path before it maps the path to directories and files on disk. I believe it's easy for Apache (though can't give you detailed instructions), for MS IIS you might (provided that they did not change the interface too much) use something like mine SessionID.dll.