Ah, no it meant that if you store in your cookie, user_id=3 say, if I log in, get a valid session, and change that cookie value to 4, or 5, or 10, or 2, what user will the system think I am. Valid session, valid user id, must be user 5 or 6 - yes? No. It is user 3 mucking about with the cookie.
However, if I check the cookie and find user id = HGKJHIE9353hkb3452kjb I can try altering it, but chances are I am not going to find a valid string. Also, that string can be checked against the stored string in the current session.
Also, if I join and find I am user_id=237, I can have a pretty solid idea of the maximum number of users that site has, which might be information you do not want to share.
Hope that helps,
Paul.
