Cookies and sessions aren't entirely distinct. A cookie is stored on the client and returned to the server with every request. That's how an individual user can be recognized among the hundreds of requests that can be occurring at the same time. But they're only on the client. You have to trust what they give you. They can decide what data they send you; users may not accept cookies at all, or could just as well send bogus ones.
Good Idea:
Store their preference for text size or page theme.
Bad Idea:
Store which user they are logged in as (and trust this information)
PHP sessions store data on the server. You can set session variables which will retain their values across requests from the same client. To do this, cookies are usually used -- using the unique cookie value, the server can look up the existing session data and load it for the script to use. The user can report whatever session ID that they want. But sessions expire, and the chance of guessing one is highly unlikely. The real danger is someone sniffing or otherwise obtaining the session ID (hijacking it). This threat can be somewhat mitigated by using SSL (https).
Sessions are a much better choice for storing login info. Just be warned that sessions are designed to expire, so long term ("remember me") login will likely need to be a separate addition. The best reference is the
official page, though a tutorial may help you wrap your head around it.