Cookies are maintained by the browser and are sent in the HTTP request header using the Cookie header field. Each cookie has a name, value, domain, path, expiration time, and some other parameters. When a request is sent to a URL that matches the domain, the path of a non-expired cookie, the client sends the cookie to the server. Cookies are usually stored in small files on the client by the browser or in a local database. The actual implementation is the business of the browser, and we need not worry about it. It is just the text information that is not executed by the client. It is only sent back to the server when some rules (mainly domain and path) match. Cookies are created by servers and are sent to the client in HTTP responses using the Set-Cookie header field. Thus, essentially the server tells the client, Hey, here is this cookie, whenever you come to me next time, show me this piece of information, so I will know it is you.
Cookies are usually to remember clients. Advertisers and online shops that need to remember who they are talking to heavily use it. But this is not the only use. These days, any application that maintains user sessions uses cookies to chain up the HTTP requests that come from the same user. When you log in to an application, the username and password you use to identify yourself are sent to the server only once, and in subsequent requests, only a special cookie is sent to the server used to identify the already logged in user. This use of cookies emphasizes why it is important to use cookie values that cannot be easily guessed. If the cookie used to identify a user is easily guessable, then an attacker could just create a cookie and send it to the server mimicking the other user. Cookie values, for the purpose, are usually long random strings.
Cookies are not always sent back to the server where they originate. When the cookie is set, the server specifies the domain of the URL where the cookie should be sent back. This is used when a different server from the one providing the services needing authentication does the user authentication.
Applications sometimes encode values into cookies. This is not necessarily bad, though in most actual cases, it is. When encoding something into a cookie, we should always consider the fact that the cookie travels through the network and can go huge as more and more data is encoded in it and can create unnecessary burden on the network. Usually, it is better to send only some unique, otherwise meaningless, random key, and store the values in some database, be it on disk or in the memory.