In doing login authentication/authorization,what is the difference between session and cookie?

Cookies are written to the clients disk, and are used to keep track of the users session... unless you tack the id onto the url.

To clarify, there are two kinds of cookie: session and persistent. A session cookie only exists for that session, meaning until you close the browser then it disappears. This is generally used to track your progress around a site for anonymous web stats. As they are anonymous and temporary, they are harmless and not worth worrying about. A persistent cookies stores a unique identifier, so every visitor gets a different one. The date of expiry can be set for these by the webmaster so they stay live for a preset time. Such cookies are used for sites like this one, they store your login id, your preferences and again track your progress through the site. These persistent ones are the ones which can be a threat to your privacy, since many banner ads on sites can set them too, then track you whenever you reach another site running an ad by the same company. Thus they get a profile into your surfing habits and interests, which is valuable data for marketing companies.

Cookie - Client Session - Server ========== I From Thailand