That's interesting question.
Although PHP sessions were invented initially to work with cookies disabled, this feature was proven insecure and become somewhat frowned upon nowadays.
However, this feature still works - PHP can rewrite all local links adding session id to them and thus make it transferred from page to page.
Yet it's still insecure, as unsuspecting user may send a hyperlink to a friend, and session id as well - making friend logged in.
How session would uniquely identify the user, etc.?
The idea of a session is not to identify the user but to transfer a session id between separate requests. So, as long as you can manage to do so - you can keep the session. Say, in a modern web-application that is using AJAX all the way, one can do without cookies all right, yet keep application pretty secure - just by means of transferring session id strictly via AJAX calls, not showing it in the address bar.