HTTP is stateless. Requests are unaware of each other and there is no persistent state information between requests. To overcome this challenge, and to enable more sophisticated use cases such as shopping carts, a few approaches are used to provide state management to HTTP applications.
One method is to store the session state information on the server. When a user authenticates with a web server, the server creates a session, stores the relevant information in server memory, and sends back an encrypted session ID to the client. The client browser stores this session ID in a cookie and passes the cookie to the server with every subsequent request.
The session information is usually stored in server memory, or in a session store - which could be a service or a database - to enable the service to scale up or use a load balancer.
Cookies are restricted to a single domain, which makes them awkward for cross-domain and third-party use cases. Token-based authentication was developed to address these limitations.