Cookies are stored key/value pairs (with other attributes such as expiry, domain, path and ssl requirements) in the clients browser. The specification for them is in the HTTP specification and these can (generally) be read by back-end languages such as Rails or front-end technologies such as JavaScript.
Sessions are an unrestricted storage area for applications, generally used by the back-end language only (due to encryption and hash protection with server side secrets), although they may be stored in their entirety in a client-side cookie for convenience to avoid "sticky sessions" where requests have to come back to the same back-end server.
