Is storing a session id in a cookie a better practice than a get var?
The title pretty much says it all. A cookie seems to have a few advantages to me; however, I'll wait to see what others say.
Also - assuming a cookie is better, what can be done to make passing the session by GET variable better?
Specifically I'm thinking about PHP; however, this should apply generally.
Cookies are the better way to go.
The downsides of having the session ID in the GET variable are
URLs look more ugly
it screws up links and bookmarking (although this is more a cosmetic problem, as an expired session will simply be deleted and a new one created)
it can be slightly less secure (when people share links containing the session ID, and inadvertently have their session "hijacked").
Search engines, however, will remove the session ID from indexed URLs, as long as they are named after a standard scheme (PHPSESSID, SID...) so this is not a problem.
As to how to make GET variables "better" - one way to make URLs containing them a bit more pretty is to use URL rewriting, so you can have e.g.
123456890 being the session ID.
However, note that this will lead to search engines being unable to strip out the session ID, because they have no way of telling it is one.
The security issue that a session ID could inadvertently be copy+pasted to a new user can be controlled through low session timeouts, and anti-"session hijacking" measures as shown e.g. in this question. However, the accepted answer suggests using session.use_only_cookies .....
Storing it in a cookie as opposed to in a GET var has at least one advantage, in that the session ID'd URL will never be bookmarked by any user.