Question to understand and to feel safe ... sorry for my english.

At a php based web shop we use session management with cookies or URL-parameters for tracking. SE bots get the page without session IDs. Human visitors will be redirected to the same page with a session ID in all links.

We identify bots by known ip adresses or by their access of robots.txt. Identified bots get an 200 and the page without session IDs.

Concern: If googlebot visits the page anonymously, he will get a redirect and a page with session IDs. Content of the two pages is the same but the html code is different because of session ID.

Risky?

If so: how to handle it?

Should we put meta robots noindex nofollow at all pages with session IDs?

THX,
albert.