I always understood that the session ID is stored in a cookie, but if cookies aren’t supported by the user’s browser for whatever reason, then PHP would be able to automatically fall back to using the query string.
Looking through some of the documentation today, I can’t work out if this is the case or not. Lots of people are passing SID explicitly in the links between pages, which I’d always assumed wasn’t necessary.