A session varible can be transfered in two ways (that I know of, there might be a third). They can be in a cookie or if the browser doesn't support cookies you can have PHP automaticlly append or you can specify in a config or in a required header to automaticly check if their is a cookie and if not then append the session id to the end of the URL. With that method people without cookies turned on can access the site.