If you have the session ID in a cookie then somebody must hijack or otherwise steal the cookie.
Possible but technically more complex.
If you have the session ID in a string then you have the key to your site sitting in every url cache in any browser in any internet cafe where your users decided to visit your board.
In theory again but - any stupid can do it so it is likely that any stupid will do it.
Plus, technically challenged users will always copy the session ID when they send links to friends. They do, yes, I know this out of bad experience...sure you wil have a timeout but still you have to let the SID live for a while, right?
Plus, as connor said, searchengines do not find these session strings very attractive.
The German PunBB Site:
PunBB-forum.de