When I've done this, I just made it a frank part of the protocol. The client makes a 'start session' call and receives in return some sort of token, and then the client keeps passing that token back to the other calls, and the SIB worries about some sort of hash table of them and deciding when to clean them up.
Adding a lot of hidden moving parts and mechanism to hide this in a cookie or an attribute or a URL or something seems dubious to me unless you somehow need to wrap an immutable existing contract in session-fu.
