I’ve been researching into PHP login scripts (from which the main thing i’ve found out so far is that there are more bad ones than good out there…), and the only thing that has got me confused is the use of sessions and cookies together in login scripts.

I think I understand the use of sessions, in terms of when the user passes a login check, store some unique variable in a session and follow that through pages so the pages know which user it is, but i’ve so far always used the user’s username or email address. I’ve read into using the session_id that is created at session_start(), and storing that value in a cookie as well as the user_id, but was wondering what the bonus of this is.. (Is it just harder to guess than a username?). Also is the session_id cookie used to automatically re-log in a user if it exists (like with ‘remember me’ functionality) or are further checks performed on this? And where does the cookie value match up to?

Apologies if this is a trivial question, just don’t want to start walking down the wrong path on a sensitive issue.