Sessions exist because HTTP is stateless. Every request is independent, so PHP needs a way to recognize the same user across requests. Sessions solve this by storing data on the server, and only sending a session id (PHPSESSID) to the browser via a cookie. On each request, PHP reads that cookie, loads the matching session data, and populates $_SESSION.

Nothing magical: cookie id in, server-side data out. session_start() is mandatory and must run before any output because it reads and sends headers.

Writing to $_SESSION stores data server-side, overwriting a key updates it, unsetting removes it, and destroying the session wipes everything linked to that session id. Compared to cookies, sessions are more secure because the actual data never leaves the server.