cookies are stored at the client side; they contain attribute-value pairs that refer to a certain state of the client session. Clients can disable cookies in their browser, and furthermore, cookies are bound to a number of rules; there is a maximum of cookies per site (I think it's 30, but I'm not sure), there is max. size to a cookie etc. Since cookies are stored at the client side, users can always choose to throw away these cookies, or disable them. You as a server-side programmer have no influence on this (unless you're building an intranet app). URL rewriting is coding the attribute value pairs into the URL. These URLs are stored into the pages, user clicks on a link, and the state is sent back to the server. This always works, since it's standard URL technology (although there is a max. length of an URL). But it does expose your entire state to the client; suppose you store the entire shopping cart into your URL (some people actually have done this.....) and you have the following attribute value pair: price=2500, then you'll understand that such a state encoding scheme is not very suitable for e-commerce apps.
cookies and URL Rewriting are few of the techniques of session maintenance. URL Rewriting can be used only if the client i.e, browser is sending request by a get method whereas in case of post its not possible. cookies are a good way of session maintenance but can be disabled or cannot recognise the proxy server. I hope this helps a bit..