I'd break my query string into parts, a session ID and a product ID. The "recommend" link would have just the product ID in the URL.

As far as preventing the SessionID from being reused (i.e. for those users that copy the URL), you can check out apache's mod_unique (IIRC, that's what it's called) which generates a unique ID for each browser session. You can use that ID to generate your session ID, and then validate the session ID on each request against Apache's unique ID. If an invalid (non-matching) sessionID comes in, you simply generate a new one and rewrite the URL (if you have mod_perl) or send a redirect (if you don't).

HTH

Philosophy can be made out of anything. Or less -- Jerry A. Fodor