Session ID can be added to the URL, so yes, they can.
Check out here
Change the answer to an additional question
Cookies are the preferred method if you can help him. You should read the Wikipedia article to better understand. From the article, if you are not reading it:
Session ID transfer as HTTP cookies is more secure