Cookies and sessions are two methods for storing persistent data across page loads for a web visitor. Cookies and sessions are quite different and selecting the appropriate method early will prevent you from switching later.
Sessions use a cookie! Session data are stored on the server side, but a UID is stored on client side in a cookie. It allows the server to match a given user with the right session data. UID is protected and hard to hack, but not invulnarable. For sensitive actions (changing email or resetting password), do not rely on sessions neither cookies : ask for the user password to confirm the action.
Sensitive data should never be stored in cookies (emails, encrypted passwords, personal data ...). Keep in mind the data are stored on a foreign computer, and if the computer is not private (classroom or public computers) someone else can potentially read the data.
Remember me data must be stored in cookies, otherwise data will be lost when the
user closes the browser. However, don't save password or user personal data in the
remember me cookie. Store user data in database and link this data
with an encrypted pair of
key stored in a cookie.
It you red the previous recommandation, the choice between cookies vs sessions must be directed by the following question :
Must persistent data be keeped when the user closes the browser ?