That same risk applies regardless of how the SID is maintained...The alternative, as you mention, is passing the session id in the url. The risk with doing so is that it is easy to capture over the wire
The only disadvantage to using URL propagation is it's visible to someone peaking over your shoulder and there is also the risk someone sends a link to a web page in an email or something similiar...but there are techniques to prevent this from being an issue as well...I mean programatically too...not beating up anyone who peaks over your shoulder
Only for the unaware...there is a setting in php.ini which prevents URL propagation for external links...and its also passed to other sites when you leave
Non-relative URLs are assumed to point to external sites and hence don't append the SID, as it would be a security risk to leak the SID to a different server
http://ca3.php.net/manual/en/ref.sessio ... -trans-sid
Ignore what I said at the start of this thread(It should be noted that despite these issues, temporary cookies are practically just as easy to capture over the wire - just not by referrer).
I should note...that the biggest downfall to using URL propagation is that it's not as reliable, in that, Javascript generated menus which link to your site likely won't have the SID in their URL's as the menu may possibly be created client side after URL matching has been completed by PHP session functions. Also Flash links become useless, etc...
Both cookies and URL's have their ups and downs...but really their both secure if the right techniques are used.
Cheers