Cookies are placed on the client machine. Cookies contain String name/value pairs. They can be turned off by a client, or a client can reject them, so they are a somewhat unreliable way of placing information on a client machine.
A session, or HttpSession, is part of the Servlet API, and helps to turn a stateless protocol, like HTTP, into a stateful protocol.
Here's more information than you ever wanted to know about the HttpSession.
"The HttpSession adds state to a stateless, web based, interaction with a server. When a client makes a call to an application server, a Servlet developer can programmatically create and associate an HttpSession with that client. The session can then be used to keep track of all sorts of information about the user.
If the user tells us their favorite color, we can store that information in their session. If the user gives us their address and phone number, we can store that in their session. If they�re taking an online exam, we can put the answer to every question they�ve been given into the session as well. We can then go back into that session object, at any point in time, and pull that information out.
So when a user is done taking an online exam, we can go into their session and find out which questions they got correct, and which questions they got wrong. If the client is picking out books, or other products they want to purchase, when they click �check out,� we can go into their session, process their order, and tell them how much their purchase will be.
HttpSessions add state to a stateless protocol, and they are pivotal in making online applications work."