1. If your script sends a session id, everyone who visit the script would get a session id.

Answers are reversed to make it a little easier.

3. Usually the session id is sent throgh the answer http header as a cookie. It is designed to be a 32 byte random number, that makes a hijack of someone elses session more difficult. Then when a user progresser through the site the user sends back the 32 byte number to mark a valid session. So when the script receives a sessionnumber it should not send a new sessioncookie. The received cookie is set up to compare to sessiondata stored on the server usually in a tmp-file.

2. The session file should just hold a user_id, so if the session-tmp-file exists on a particular session the user_id could be retrieved through the file.

Also if you don't want to have a sessionfile you could hold the session information in the db.