As far as I know webapps use session_start(); that implicitly create the session cookie PHPSESSID to recognize his users,
but when analysing the outgoing HTTP requests toward differents web applications (yahoo, facebook, gmail, youtube) I didn't see this cookie in the HTTP header but another ones :
sid, ssid, gmail_at, apisid, sapisid in gmail
datr, lu, c_user, xs, fr in facebook...
is one of these cookies is the same as PHPSESSID/JSESSID and they rename it ? (I don't think so, they don't have the same length)
is there another way that session_start() and URL Rewriting to distinguish sessions ?
or they create manually the session IDs with setcookie(); ? what is the advantage then ?
You can rename the session cookie and alter the hash algo
Try session_name($newName) to change PHPSESSID.
Or change the cookie value itself with session_id($string)
Also its a server configuration/app behaviour thing. You can safe your cookie to user relation in a file, or in a table.