From the docs (emphasis mine):
Sessions are a simple way to store data for individual users against a unique session ID. This can be used to persist state information between page requests. Session IDs are normally sent to the browser via session cookies and the ID is used to retrieve existing session data. The absence of an ID or session cookie lets PHP know to create a new session, and generate a new session ID.
When a new session is started PHP generates a random string. This ID is then sent back to the browser as a cookie value. Subsequent requests pass this cookie back to the server so it can be looked up and know it's the same user coming back. The random session ID makes it hard for others to guess and gain access to another person's session.
In the most recent version of PHP you can set the length of the session ID if you're concerned it's easy to guess. But statistically the defaults for session ID generation are not a concern for most websites.
The session.name
configuration determines the cookie name in the browser. By default it is PHPSESSID
.