- Cookie gets send with every single request to server, sessions don’t.
- Cookies are saved on client side. Sessions on server side.
- Cookie can be created with an expire date (e.g., 30 days), so that users won’t have to re-login after closing browser window. Sessions die with page close*.
*Some modern browsers with Open Recent Closed function might keep records of sessions even after page close.