how is session_id stored in cookie secure?

My understanding of how session works is below, I wonder if my understanding is correct.

1. when user logs in, server creates session_id - user_id mapping
2. server stores the session_id in browser cookie
3. when user comes back, server looks up the cookie and reads the sesison_id
4. server looks up session_id - user_id map and if it finds the mapping, user is logged in with the user_id

Q1, Is my understanding correct?

Q2, If so, if someone can somehow insert session_id in his browser cookie, he can log in as someone else?

Q3, Using ssl prevents the above possibility?