Quoted:
Here I how I understand it(forget about db input sanitizing, and hashing/salting for now):
1. visitor goes to login page for the domain.
2. login page retrieves client cookies for the domain.
3. if no cookies, the login page completes loading and gives user/pass form text boxes and button which user fills out and submits to login page
A note on 1,2,3: Client sends request to login page for the domain, before the request is sent, if the browser has cookies for that domain, that are not expired, they are sent with the request to the server that is rendering the login page. Just don't want you thinking the page "retrieves" client cookies (unless you're using localStorage/sessionStorage as a token store which is ).
The server or logic of the login page will determine, if cookies are sent, if the session is valid and redirect the client accordingly (i.e. if there is not a valid session with this session cookie value, redir to the login page or render the login form element, etc.)
4. login page queries website DB, finds username and validates the correct password
5. login page generates, say a random 100 character long a-Z & 0-9 string to use as cookie, inserts into DB cookies table, associates with foreign key of user account
A note on 5: server middleware facilities (should) use a secure PRNG to generate the session ID, they can be stored in a DB or keystore or in memory,
insert disclaimer about SSO/load balancing/proxies/etc here. Not sure if these details are relevant to your question but they can make a difference when you get to #10
6. login page pushes cookie to user after setting domain, cookie name/value, timeout, etc other cookie settings
7. login page redirects client to some User resource page
8. client opens user resource page, which retrieves client cookies for the domain.
9. client provides the cookie it was just given by login page
Just to clarify on 8,9 again, the browser always sends the unexpired cookies for that domain with each request, there's not really a retrieving of cookies
10. User resource page looks for this particular 100 character string of text in the cookies DB table, find it, determines user ID associated with it, and then provides user-specific into to the client. voila
Is that how it works in practice? if not, Is what I describe not feasable/secure/etc?
Finally, what is a "session"?