I would like to implement user authentication and session management for my
applications. I've been using solution 1 (below) for most of my
applications in the past since the target audience is mostly intranet based.
Now that I'm creating a more global application, I want to use a method that
does not require cookies, yet maintain a farily high level of security and
fault tolerance.

Is there a better way to handle this problem? What method does the big
Internet shopping companies use?

Scenario:

A user is authenticated and is given a session key. The session key is
passed to the user in an HTML page and returned to the server using a query
string. The user then copies the URL and gives it to his friend to see.
Since the URL now contains the session key, how does the server distinguish
between the authenticated user and his friend?

Solution 1:

Use an ASP session variable to store the session key between page requests.
This solution requires that the client have session cookies enabled. If the
session is not encrypted (i.e. SSL), the ASP session id is still passed via.
clear text, and is vulnerable.

Solution 2:

Use a session key that identifies the location (IP address) of the user. If
the submitted session key doesn't match the user's location, then the
session key is invalid. The session key can be passed as part of the URL
and does not require cookies. This method is vulnerable to IP spoofing, and
breaks if the user is behind a NAT server, or web caching server that masks
the true IP address.

Solution 3:

Have the session key returned to the server via an HTTP POST request. This
method does not require cookies, but is clear text and vulnerable if the
session is not encrypted. The session key is lost if the user navigates to
a page manually issuing an HTTP GET request.