>c) QueryString parameters are rarely filtered out. The biggest difficulty is that you must ensure that every link in your HTML document carries on this parameters, otherwise the chain is broken and a new session starts.

We use both cookies and querystring params to pass our SessionID along.
We attempt to set a cookie at login.
On subsequent hits, if there was no cookie, we assume cookies are somehow blocked and pass the SessionID in the QueryString.

You don't need to remember to write the URL to include your variable every time.

It is pretty easy to use StrExtract() and StrTran() to re-write all the URLs before sending the page.
I wrote my own ExpandTemplate to get control over stuff like this.
In the testing I did, there was no measurable performance hit.