Y'see, vmusic, HTTP is a stateless protocol. It doesn't track clients from one request to the next. Client makes a request, server responds, and that's the end of it for both of them. Next time that client makes a request it's a whole new deal. There could easily have been thousands of other requests from other clients in between, and the server isn't going to try tracking all of them on the off-chance that one (or a thousand) of them might make another request at some time in the future.
So what is usually done is that the server sends some data out with its response that the client is supposed to send back when it makes another request. Now it's up to the client to resend that data back to the server so that the server can recognise that this is the same client that made that other request fifteen seconds ago.
Session variables are generally the best method, since all that gets sent back and forth for purposes of identification is a meaningless string of characters. Other methods involve sending the data itself back and forth in some form, and that's a doubled risk because it might be intercepted en route (or the client might be compromised), and because a compromised client (or some malicious/stupid person) might mangle the data.
Session variables by contrast - well, if you mangle the session variable, chances are astronomically unlikely that you'll just happen to concoct an ID that matches a current session, and if the ID is intercepted, it is still only valid for that one session (but there is a link on the PHP manual's session page about Session Fixing that can be worth reading.)
The practical upshot though is still: avoiding those four methods will be more trouble and hassle for everyone than it's worth, and probably pointless anyway.
