What are HTTP cookies and sessions?

Cookies are small data stored by browser, sent with every request to that domain. Used for: session management, personalization, tracking. Attributes: Expires (lifetime), Secure (HTTPS only), HttpOnly (no JavaScript access), SameSite (CSRF protection). Sessions store user state on server, identified by session ID in cookie. Cookies are limited (~4KB), visible to client; sessions can store more, server-side. JWT tokens are alternative for stateless authentication.