Cookies are the better way to go.

The downsides of having the session ID in the GET variable are

• URLs look more ugly

• it screws up links and bookmarking (although this is more a cosmetic problem, as an expired session will simply be deleted and a new one created)

• it can be slightly less secure (when people share links containing the session ID, and inadvertently have their session “hijacked”).

Search engines, however, will remove the session ID from indexed URLs, as long as they are named after a standard scheme (PHPSESSID, SID…) so this is not a problem.

The usual way to go here (and I think, PHP’s default behaviour) is to use Cookies when possible, and to fall back to GET variables if they are disabled.

As to how to make GET variables “better” – one way to make URLs containing them a bit more pretty is to use URL rewriting, so you can have e.g.

example.com/category/page/1234567890 

123456890 being the session ID.

However, note that this will lead to search engines being unable to strip out the session ID, because they have no way of telling it is one.

The security issue that a session ID could inadvertently be copy+pasted to a new user can be controlled through low session timeouts, and anti-“session hijacking” measures as shown e.g. in this question. However, the accepted answer suggests using session.use_only_cookies …..