First off you need to understand the difference between sessions and cookies.
Sessions and cookies are both key=>value stores. But where they're stored has great impact on their security properties.
Cookies are stored on the client machine. They are unsafe. A user can modify the value of a cookie, forget a cookie, send more cookies etc. Cookies can be stored for a very long period of time (months, years). Since the client stores the cookie you don't need to worry too much about space constraints. Just keep in mind that all the cookies are sent with every request.
Things you store in cookies are typically fairly inconsequential things like some preference settings or "I've already seen your popup asking me about questionnaire".
Session data is stored on the server, only the server can read from it and write to it. The user never sees what is in the session. Session data typically expires quickly, let's say anywhere between 30 minutes and 24 hours.
But how do you know which session belongs to which visitor? Well, you use a session identifier cookie. This is the only cookie you need for authentication. In PHP this cookie is PHPSESSID and it's created and used automatically when you call session_start();. The session cookie is a cookie with a random value that is hard to 'guess', which makes it secure.
The user will keep the session cookie. You can find the associated session data (automatically using $_SESSION). In the session data you can store whether the user is logged in, if so as which user, you can even store the rights a user has (like a mini-cache). You can treat this as an untamperable key=>value store, just make sure not to store too much in there (the limits depend on the storage mechanism).
Sessions are stored in a specific place; where depends on your webserver and OS. In PHP you can specify your own session storage handler by calling session_set_save_handler. This allows you to, for instance, keep your session data in a database.
If the value of the session identifier cookie is somehow exposed an attacker can hijack the session. It can be exposed by using an unsecured connection on a wifi access point (like in a bar). To counter this use HTTPS; cookies sent over HTTPS are encrypted and safe from this kind of man-in-the-middle attack. This is what the Firesheep plugin did (in 2010)
