I'd like to integrate Google Checkout, but we're still waiting on them for confirmation of our status as an approved e-commerce provider. Once that comes in, I'll be a rather busy bee rolling that out.

I was under the impression that storing data in the session was more secure than cookies, and certainly more so than query strings. Query strings, even in POST can be intercepted if you're not careful, and they're a pain in the butt to code around anyway. I believe that session data is stored on the server, and the client gets a cookie with some hashed string that matches them up to the right session.