The session ids are passed in the payloads (body of the response) not in the URLs in the browser window normally. For the security there are other mechanisms like SSL, so other person can not see/alter the contents. If the client itself want to tamper the response, anyway cookies are stored in his computer. So he can also play with the cookies and find the session ids. Cookies are not consider safe , that why some people disabled them.
Nothing is 100% secure in internet. It depends on the application needs, security policies definded etc. As there are more and more evaluations in technologies, the hackers also use more and more sopisticated tools.