Yes. Php session handling can save the info on the server, but it still uses regular cookies to identify the user.
You are absolutely right, but anyone in their right mind wouldn't use sessions in the URL (think SEO) unless it was in a password-protected part of the site or you got rid of them for the bots.