You can use the Session object to store information needed for a particular user-session. Variables stored in the Session object are not discarded when the user moves between pages in the application; instead, these variables persist for the entire user-session. The Web server automatically creates a Session object when a Web page from the application is requested by a user who does not already have a session. The server destroys the Session object when the session expires or is abandoned. One common use for the Session object is to store user preferences. For example, if a user indicates that they prefer not to view graphics, you could store that information in the Session object. Note Session state is only maintained for browsers that support cookies. MICROSOFT, ASP.NET

Sessions are more secure and fast because they are stored at server side. But Sessions has to be used combined with Cookies or URLReWriting for mainting the client id that is sessionid at client side. Cookies are stored at client side so some clients may disable cookies so we may not sure that the cookies which we are mainting may work or not but in sessions cookies are disable we can maintain
our sessionid using URLReWriting. In URLReWriting we can't maintain large data because it leads to network traffic and access may be become slow. Where as in sessions will not maintain the data which we have to maintain instead
we will maintain only the session id.

Session tracking is a mechanism that servlets use to maintain state about a series requests from the same user across some period of time. The methods used for session tracking are:
a) User Authentication - occurs when a web server restricts access to some of its resources to only those clients that log in using a recognized username and password
b) Hidden form fields - fields are added to an HTML form that are not displayed in the client's browser. When the form containing the fields is submitted, the fields are sent back to the server
c) URL rewriting - every URL that the user clicks on is dynamically modified or rewritten to include extra information. The extra information can be in the form of extra path information, added parameters or some custom, server-specific URL change.
d) Cookies - a bit of information that is sent by a web server to a browser and which can later be read back from that browser.
e) Http Session- places a limit on the number of sessions that can exist in memory. This limit is set in the session.maxresidents property

Cookies are used to get user agents (web browsers etc) to hold small amounts of state associated with a user's web browsing. Later that information read by server

Cookies are a mechanism that a servlet uses to have a client hold a small amount of state-information associated with the user.
A) Create a cookie with the Cookie constructor:
public Cookie (String name, String value)
b) A servlet can send a cookie to the client by passing a Cookie object to the add Cookie () method of
HttpServletResponse:
public void HttpServletResponse.addCookie(Cookie cookie)
c) A servlet retrieves cookies by calling the get Cookies() method of HttpServletRequest:
public Cookie[ ] HttpServletRequest.getCookie( ).