I am not sure what you guys mean by “session id”—an identifier for the session, or an authentication mechanism? I have used systems where the session id was auto incremented, but there was a separate signature (in the cookie) verifying that the user “owned” that session.