It does use cookies: it stores a cookie with a session ID. The server keeps a list of those session IDs and their respective data.

http://en.wikipedia.org/wiki/Session_(computer_science)#HTTP_session_token

http://de1.php.net/manual/en/session.idpassing.php

ah, and concerning security: http://de1.php.net/manual/en/session.security.php

dans ta variable $_SESSION, Tu peux utiliser un PHPSESSID (un genre de guid, id unique) et ajouter un horodatage ainsi que l'id utilisateur pour etre certain de ce que tu fais

One should note that this can also be accomplished (although with much more work) without cookies : just provide the session id on every page, either in the URL or in POST values.

Also note that in a http (not httpS) context, you have absolutely no guarantee that the user is the one he's pretending to be.

@Julien-Claude: associer l'adresse IP à la session est une mesure de sécurité minimale et ne coûte presque rien.

Whether you use cookies or query string parameters the token is visible to almost anybody over http. Back before Netscape invented cookies we used the query string. It was such a pain.

These days you can use local storage, Flash cookies, etc. Cookies work the best though.

@JC ha oui mais je ne suis pas contre :D, je n'y avais simplement pas repensé :p