Not that I meant to be yelling "homework!" 'Cos even if it was homework, I think you're asking the right kind of question in the right kind of way (it's not a 'write this code for me' kind of question, it's a "how the heck would I do this?" question).

AFA cookies and 'purism' go, since the cookie is used only to verify that this is indeed the same client program as before (and otherwise holds no info about the user), you could tell your users that your site uses cookies, for what purpose, and tell them that they're not otherwise used to track the user or gather information about them. Give them links to erase their sessions, etc.

Last gasp: I don't know how user gives you payment information, but if you have SSL, there's some more session ID possibility in that ...

Philosophy can be made out of anything. Or less -- Jerry A. Fodor