Well, an HttpSession is the server side component available in the Servlet and JSP API, and it's the one that pretty much every large site uses, so simply 'majority rules' would indicate the HttpSession.
But an HttpSession often uses a cookie on the client to plant an ID, so in most cases, they are part of the same solution, unless you are using URLRewriting.
Use the HttpSession. Don't mess around too much with cookies.
The only case in which I would even consider cookie(s) over a session would be if the "user state" to be preserved could be represented very compactly in short string(s) AND exposing the contents did not constitute a security problem. There are big limitations on how much cookies can store - search for rfc2965.