After all, the setcookie() function was created for something.

there are so many more functions created for something! But you don’t run to use them because they exist?)
Only if you need a functional one.
and what do you store there right so massively? For authorization, it is enough to keep the user ID there, this is where the session function ends.
in sessions))))
So store what you want, as they said, basically all information in one way or another related to what is happening on the front goes into cookies. But at the same time, which nafig did not fall on the backend.
Anything from remembering which slide the slider stopped on to remembering what the user chose when sorting / filtering a table of some kind.

You can put harmless data in the cookie:

• user language or city
  
• theme (in terms of design)
  
• some tags for marketing (first source or ref-link)
  
• you can store a basket (product id)
  
• some dates
  
• user id (but not from the database!!! but some kind of identifier harmless for statistics)
  
• store how many times you liked this page and where you clicked
  
• store the state of the modal window (whether it was already given a pop-up or not, so as not to load the window on each page and not annoy)
  

In a cookie, data can be stored for a very long time, while in a session on the server, data will be stored only during the session itself. This is ideal when you want to save some data for unauthorized users, for example: a person came to your site, the site uses notifications that ask before displaying "does the person want to receive your notifications", the answer to this question is best stored in a cookie. The next time this user visits your site and he will have a new session, but the information that he does not want to see notifications will be stored in the cookie.

And how long can you afford to keep sessions on the server? if the person doesn't come back? If this is a bot, which one generated another session for you? Cookies help to save some values ​​for a long time, according to which after a long time we will be able to understand that we have already had a person and chose such and such options. On the other hand, cookies are sent on every request, whether it's a page, image, script, stylesheet, ajax request. All or almost all cookies are always sent. so you need to be careful with them, not to mention the fact that they can be faked or read. You also need to take into account the size of the data sent to the cookies, I saw many examples when nginx fell off due to large cookies, the user was lost, nothing was really seen in the logs.