Use both, from what I understand, used in conjunction session variables & cookie'd data in tandom will give you the most complete picture possible.

fashezee,
Most definately use both if you can. However if it is a choice between one or the other...

If they are turned on in the browser, cookies are more reliable than sessions. Of course if the customer leaves the site with sessions only, they have to start over upon return. Furthermore, depending on the operating system of the server, sessions can get screwed up easier. Until sessions are more reliable or use something like a "key" from the browser for more permanence, it's important to use cookies also.

Kevin

Using in-memory sessions means that you if ever need to host your application on multiple web servers, you will have to use an affinity based DNS scheme, which is less scalable.

Cookies.

Doing both may give you slightly better coverage but will tend to increase complexity and session-mgmt-in-the-URL can impact Google and emailing links.

If you're anti-cookie, you darn well should be anti-giving-your-credit-card-information-to-a-random-unknown-person. So you shouldn't be losing too much actual business, despite the complaints you'll invariably receive.

It is possible to use it in such a way that it uses cookies if they are supported by the browser .. and if they are not then it appends session variable to the query string. PHP has inbuilt support for this .. not sure about others.