I assume you're talking about session poisoning. It's possible because PHP lets the end user set their own session by declaring PHPSESSIONID=MYSESSIONID and, thus, your session_id() would return "MYSESSIONID", instead of a random hash. I wouldn't worry about using cookies. There's no real advantage and, IMO, URL based tracking draws more attention to the session (plus you run the risk that someone shares the URL socially and now you have two users with the same session).
Because users don't have any innate way to write what goes into the session itself (unless you have an insecure app), I wouldn't worry too much about that either. Session files are not executable.
Hello. Thank you very much for answering !
I don't show the session id in the address bar. I guess this isn't a problem for me right ?
The previous part I havent understood it yet !
So a user can actually mess up "edit" a session file somehow ?