I'm having a small bit of doubts here as to how sessions should be handled.
Right now, I have a MySQL database where the "users" table has a field for session_id. If NULL, the user is not logged in? If the value is the same as the value of the PHPSESSID cookie, than the user is logged in.
I don't know why, but I somehow feel this isn't good enough a way to make sure which user I'm dealing with. Is there something I'm missing, or do my fears hold no ground?
There's nothing essentially wrong with what you describe as far as I can see.
Of course, your login and logout mechanisms need to reliably add and remove the user ID when logging in or out. (insert a user name only when passwords match, etc) . Also, expired sessions need to be removed reliably. If that is given, this should be fine.
Just an extension on what Pekka said, you could also include a 'last seen' field into your table and use that as a judge because as Pekka mentioned about expired sessions, your database won't be informed that they are gone. So you will be forced to either make something so it manually checks the last time a user was there or something along those lines and then map that back to the session timeout (which I believe is either 15-30 minutes by default for PHP) and then after said amount of time, clear any of the users who haven't been active within the last X minutes.