Encrypting the strings yields long URLs or large cookie data. I usually use a one way hash algorithm such as MD5 on the ID (of course that's getting somewhat dangerous now due to the apparent hackability of MD5, SHA-256 might be a better choice) and store that in the cookie, or the URL. I store a copy of that in the database with the row of information I need for the user.

For extra security you can change the session string each time they hit the site. I would do this especially if you're using URLs since that way the session string is likely to have changed if your user shares the URL with someone and you can generate a new session or ask the new connecting user to login or whatever.

I can't say I've used the session modules that people so often talk about. I really don't like extra temp files that many of them create. I know some of them have options for using the database, but I typically have to make a call to the database anyway, why make a separate one?

I'm not going to say my method is better/worse than anyone else's. It works for me!