Amazon does both cookies and session ids in the path (and every URI on the page). As long as you are expiring these at the end of a "visit" and mixing in things like IP and user agent on the server side, this can work fine. Plus, with their model, they require a secure sign-in every time you perform account altering actions ("no" for putting something in the cart, "yes" for paying for something or changing an address).

If you do both, you can basically ignore whether or not the client supports cookies. Then again, cookies are so basic to web functionality today that I don't think the dual model is really justified compared to the extra overhead (URI rewriting) and complexity it adds.