SessionId is an identifier for the server to identify the incoming request. You can get to know sessionid most of the time either by looking at the browser cookies or in the Url however that doesn't mean you can control that session. There can be
alot of other security features associated with the session, one of them being the authenticated user. A lot of times, server issues a unique token which is encrypted in the header to identify the valid user (just an example).
Key here is that session id can only be used by server to retrieve the Httpsession object using session id. Think of a map maintained by a server and whenever any request comes and passes all the security parameter, server uses the session id and retrieve the session object from the map and serves the request.
You can refer to Head First Servlets and JSP to start with. I found it really helpful to understand the basics.