Can we do without cookies?
Yet another stupid idea: the server generates a link to the gateway page with an unique identifier in its URL. On the client side this identifier is saved in window.sessionState and used in subsequent API calls.
I name this page gateway because it should redirect to a regular page to avoid leaking the identifier via Referer header when accessing third-party resources.
The user has to bookmark the gateway page or save its URL by any other means. That's the explicit consent in terms of cookie law.
Another drawback is re-generation of the identifier. The user has to manage their bookmarks manually.
As for other aspects, this approach is no less secure than cookie-based one. If the user's machine left unlocked, anyone can steal both bookmarks and cookies. Along with saved passwords.
Unlike cookies, it's possible to have multiple sessions within the same browser. But you can't open links in new tab. They won't belong to the same session.
This approach is prototyped on the feedback page.