Session management changed some time back (I think it was around 4.4). The old mechanism still works, but is deprecated. It’s rather confusing, so I recommend staying clear of it. Today, you use sessions by accessing the global variable $_SESSION (It’s an array). You can put object instances in there, but you need to load the class definitions for those objects before starting the session on the next page. Using autoload can help you out here.
You must start a session before you can use $_SESSION. Since starting the session sends headers, you can’t have any output before. This can be solved in one of two ways: Either you always begin the session at the start of your script. Or you buffer all output, and send it out at the end of the script.
One good idea is to regenerate the session on each request. this makes hijack much less likely.
That’s (slightly) bad advice, since it can make the site inaccessible. You should regenerate the session-id whenever a users privileges changes though. In general that means, whenever they log in. This is to prevent session-fixation (A form of session-hijacking). See this recent thread @ Sitepoint for more on the subject.
Using cookiebased sessions only is OK, but if you regenerate session id’s on login, it doesn’t add any additional security, and it lowers accessibility a bit.