A session is a global variable stored on the server. Each session is assigned a unique id which is used to retrieve stored values. Whenever a session is created, a cookie containing the unique session id is stored on the user's computer and returned with every request to the server.
Sessions are more secure than cookies, since they're normally protected by some kind of server-side security. This does not make them infallible, however.