A session is a group of information that is saved across multiple page visits.
When a user enters a URL into the address bar, the browser sends a request to the server. The server receives the request, processes it, and sends back a response. That's called the 'HTTP lifecycle' or the 'Request lifecycle'. The user can send another request to the server by clicking a link or entering a new URL in the address bar. But the two requests don't know anything about each other. That's because web applications are stateless by default.
Stateless means that all requests to the server are sent and processed independently. Any request should be able to be sent individually.
Most of the time, this is useful because you can create any page without worrying about the user's previous location. But there are situations where some context is needed. The most common case is applications with a login system. When the user is authenticated, the app should be able to remember the user as they navigate the website.
One approach to solve this issue is with sessions. Sessions are a set of variables stored on the server. Because sessions are stored on the server, they can contain sensitive information such as user data. The browsers stores a reference to the session using a cookie. This way, the user can access the same session across multiple requests.
A session usually lasts until the browser is closed, but the application can explicitly destroy it.
Using a session to authenticate users is called stateful authentication.