1. User data (login, password) is best stored in the database. In any case, start learning SQL - it will come in handy in the future.
In short, you can start making your own "storage manager" when you realize that the information is fucked up and needs to be structured somehow, the next step is to make the "storage manager" so much that it will look like your own DBMS (of varying degrees of curvature ). Skip all these steps at once.
2. Url with session id is not comme il faut, correct for the option with cookies. "It looks like they registered, but sometimes users see the login sign" - it shouldn't be like that, you have a mistake.

1. Fields with indexes - you can quickly search for the necessary records, transaction support, replication if the project is very large. In general, it turns out to be more flexible and more reliable, that's why it is a database to store structured data of various kinds.
2. Just deal with cookie timeouts. For example, if you want cookies to be present for 2 days from the last login, then in addition to specifying a timeout when creating cookies, you need to recreate it from time to time with a new expiration date. Then regular users will not receive the Login Form.

1. It is better to store data in the database for one reason for the user, with correctly written code, it is difficult to get there, but it is easier for you.
2. As for authorization, everyone knows that it is better to work with sessions. Here are the arguments:
- All data is stored on the server side and manipulation with them is prohibited to the user
- It may be that the user has cookies disabled and for this reason he will not be able to log in. With sessions, this problem disappears.
There is still a sea of ​​​​pluses in using sessions, but for me, this is enough. Now only a few use cookies.