Giving out your session id is equivalent of giving out your password. If your users are going to be doing that, then they shouldn't have access to the system in the first place. That's more along the lines of business practices and ethics than php security.
However, passing your session id in the url, although compatible for people not using cookies, isn't particularly secure. Most users wouldn't know how to pick up their sessid from a cookie, but it's quite obvious when it's in your url.
About the session deletion, the session id on the server isn't deleted until the time expires, or it's explicitly destroyed using the session_destroy() function. Normally, when you close the browser the cookie is deleted, so next time you open it you have no session id and must start a new one, however when passing it through the url, it's no problem just to append it to the url and have access to your session again.
I destroy my sessions like this:
foreach($_SESSION as $k=>$v) {
unset($_SESSION[$k]);
}
session_destroy();
My advice. Get rid of the SessID from the url, pass it in cookies and require your users have them turned on. If they ARE giving out their session id, then consider whether they should have access. If they aren't, and it's being picked up using packet sniffers such as ethereal, or something along those lines, and your data really is this sensitive, consider switching to a secure connection (SSL).
Hope that helps,
Matt
