If you don't want it in the URL and you don't want to use server-side coding (ASP/JSP/PHP/CGI), then your only real choice is cookies. But of course users *can* disable cookies. If that's not a concern for you, then session cookies probably make sense. (Session cookies are just stored in memory on the user's computer, not on disk. So users can permit them even if they disallow permanent cookies...*IF* they are sophisticated enough to know the difference. Sad to say, 95% or more of users aren't that sophisticated.)
Why are you against doing it in the URL? You could encode it so that it doesn't *look* like an ID, you know.
An optimist sees the glass as half full.
A pessimist sees the glass as half empty.
A realist drinks it no matter how much there is.