The “cid” in your http call is the client id, where client refers to the device or program that makes the request. It is usually stored in a cookie (on the web) or generated by an SDK (in an app) and is used to unify subsequent requests from the same device into sessions. Since it is set by the client it differs from device to device (and browser to browser), so it can not be used to identify a person across multiple devices.
After it became the rule that any given person might have two or more devices Google came up with the uid, the user id (which by their own TOS might not identify the user, so this is a bit of a misnomer; think “cross device tracking id” and the concept becomes clearer). The uid is set by serverside code, i.e. after the user logs in. Not only this allows to unify visits from multiple devices into distinct users, it also alleviates privacy concerns (since it is supposed to be only created after a users action; there are separate TOS which you have to accept if you create a user id view in the GA interface, and they stipulate that you have to secure the users agreement to use to user id feature).
So if you set the same user id in your code the sessions will be attributed to the same user, even when the cid differs; this is by design and is indeed the point of the uid.