How about not storing the session info in the URL? Instead, use forms extensively and store a session key in hidden fields. The URL then can be unique for each item and can be used by customers to send to others, and the hidden session key will not be included.