my bad, that's what happen when you don't read carefully.
The answer is YES, does it has to match both.
This is from CodeIgniter Docs,
When session data is available in a database, every time a valid session is found in the user's cookie, a database query is performed to match it. If the session ID does not match, the session is destroyed. Session IDs can never be updated, they can only be generated when a new session is created.
So this means yes, it does a matching.
From GitHub (stable 2.1) you can take a look at the database matching process here:
https://github.com/EllisLab/CodeIgniter/blob/2.1-stable/system/libraries/Session.php#L135