how session variables work without cookies

My understanding is not perfect, but as far as I understand:

Cookies are saved as a brief file on the user's computer and this file is sent to the server every time the user requests a page from that same server that gave it the cookie in the first place. The server can then use those cookies when running scripts. Cookies by default expire when a user leaves the site that gave him those cookies, but a date in the future can be set (an hour after the visit, a week, or even a year later). Does this make sense?

Session variables are stored on the server along with a reference to which user's scripts created them. The main difference is that the user does not need to send or store any kind of file on his own computer, the server does all of that. Session variables will expire after the user leaves the site no matter what you do (there is no way to change this behavior). They will even expire after the user has been inactive on the site for a given length of time (this length of time is dependent on server settings, I think the default is 15 minutes).

When programming a site you need to use cookies or a database to keep information that is going to be kept for more than one session (automatic logins are a good example, or "last time you visited this site"). For information that only needs to be kept for the few minutes someone is on your site, it is up to you whether you want to use cookies or session variables.

Jared