I guess I just answered my own question. 1. Cookie is sent along with the client request to the server. 2. Server verifies the cookie then takes actions accordingly. 3. Server does not send the session ID back unless it is explicitly coded, i.e., appending the session ID to the URL. Server only serves as a cookie verifier. If cookie does not match the record on the server, a new cookie is generated and sent to the client (of course you need to have session_start to have the cookie generated). 4. SID is generated only when the client rejects cookie, i.e., no cookie is returned to the server. Then SID can be propagated to the link to pass the session ID back forth. 5. When you have cookie enabled, session_id() is the way to catch the session ID, not SID. Just want to share my findings. It drove me nuts for a few days. As much as I like PHP, the PHP documentation does not provide a great deal of help. Pull