Here's my opinion about your first question. Personally, I generally try to use the cookie method first, and if it fails (user reject cookies or the user-agent doesn't support cookies or whatever reason), the system falls back with the url method. So, I'd say it's not cookie versus url method but rather a team effort here!
If'd absolutely have to chose between the two, I'd go for the url method, it's safer (in the way that it's not affected by user's choice) and if I remember correctly, there's an option in PHP to use the var SID transparently so it doesn't appear in the url but it's still passed around (I'll have to check on that one though...)
but otherwise, try to use a combo. Makes your system more stable.
Thanks very much for that, FYI this is what found in the PHP doc re: a transparent SID:
session.use_trans_sid boolean session.use_trans_sid whether transparent sid support is enabled or not. Defaults to 0 (disabled).
Note:For PHP 4.1.2 or less, it is enabled by compiling with --enable-trans-sid. From PHP 4.2.0, trans-sid feature is always compiled.
URL based session management has additional security risks compared to cookie based session management. Users may send an URL that contains an active session ID to their friends by email or users may save an URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example.