Why is passing the session id as url parameter insecure?
Is passing the session id as url parameter really insecure?
While it's not inherently insecure, it can be a problem unless the code is very well-designed.
Let's say I visit my favorite forum. It logs me in and appends my session ID to the URL in every request. I find a particularly interesting topic, and copy & paste the URL into an instant message to my friend.
Unless the application has taken steps to ensure that there's some form of validation on the session ID, the friend that clicked that link may inherit my session, and then would be able to do anything I can do, as me.
By storing session identifiers in cookies, you completely eliminate the link sharing problem.
There's a variation on this theme called session fixation, which involves an intentional sharing of a session identifier for malicious purposes. The linked Wikipedia article goes into depth about how this attack works and how it differs from unintentional sharing of the session identifier.
Why are cookies more secure?
Cookies can be more secure here, because they aren't something that normal users can copy & paste, or even view and modify. They're a much safer default.
What possibilities does an attacker have for both options?
Neither of these methods is secure from man-in-the-middle attacks over unencrypted communication. Browser addons, spyware and other client-side nasties can also spy on both methods of storing session identifiers.
In both cases, server-side validation that the client that claims to own a session ID is best practice. What this validation is composed of is up for debate. Keep in mind that users behind corporate proxies may hop between IP addresses between requests, so locking a session to an IP address may accidentally alienate people. The session fixation article mentions a few other helpful alternatives.
Most of the websites store their user's login state into the session, and if an attacker has the session id, he has got the privileges of the logged in user as well. In other words,the two concerns of maintaining the session and authentication are often coupled.
One problem is that, it is easy to make session fixation attacks. In this case an attacker would send a prepared URL with a known session id to the user. If the user clicks this URL and does a login, the attacker would have a session with priviledges. If the website requires a cookie though, then a prepared URL in an email won't be enough.
If a site uses HTTP mixed with HTTPS, the id would be transmitted plaintext in the URL for all HTTP requests (even for an image request). So if the attacker can read a single HTTP request after the user has logged in, he knows the session id.
A way out of the problem would be to separate the two concerns, maintaining the session and authentication. You could then leave the session id unprotected, only for maintaining the session, and use a separate cookie to check for the login state. This cookie must be configured to be sent to HTTPS pages only.
In addition to what Charles and Martin have said, putting anything in the URL makes it more likely that it will leak. This can be through a Referer header in a linked resource, from access to the endpoint with browser history records, from brute force history sniffing, inappropriately protected web logs, and so on. So it's generally inadvisable to put anything you want kept secret in a URL/query string.
I've not seen PayPal using server-session IDs in URLs. There's no way it would really be more secure than cookies; the reason it was typically done in the past was to support browsers without cookies enabled. This is less and less a concern these days, and the usability problems of not being to share links, in addition to the session fixation attacks, mean that session-in-URL is usually avoided today.