I think SessionStorage only provides a client-only solution without any access to these values on server-side. In many server-side frameworks like ASP.Net and PHP, we would like to easily access the client-side values that we may have stored without using hidden fields etc., and then cookies become a better solution since cookies get automatically sent to the server-side.
Upon sign in, the server uses Set-Cookie HTTP-header in the response to set a cookie with a unique “session identifier”. Next time when the request is set to the same domain, the browser sends the cookie over the net using Cookie HTTP-header. So the server knows who made the request.
It also contains key-value pairs, but in comparison to a cookie, a session can contain object as a value. The storage implementation mechanism is server-dependent. A session is matched with a client by a cookie or request parameters. More info can be found here. 3.1. Getting a Session.
Notice the cookie that we are setting to the response and then forwarding it to LoginSuccess.jsp, this cookie will be used there to track the session. Also notice that cookie timeout is set to 30 minutes. Ideally there should be a complex logic to set the cookie value for session tracking so that it won’t collide with any other request.
Any time you set a cookie, you need to gather some information. Usually it's done in the format I'm showing here. Someone enters something into a text box, a button is clicked, and the cookie is written that contains the information provided by the reader. Once the cookie is written, you can call upon it again and again. Try this.
The token for that session was w344e3, which has now expired. Once John logs out from “Browser 1”, his current session token (a23ww2) expires as well. There is no way for any 3rd party to guess which session maps to which user since that information is stored safely on the server and is not made public. There is still something missing though.
The lifetime may be limited to the session, a number of days or not to be limited. The browser may be set up to delete cookes at end of session, or block them entirely. If a date is specified, the cookie is deleted on that date, otherwise it is cleared at the end of the session. The browser may postpone the expiration date at each visit. They may be stored in several files (IE), a single text.