Pergunta de entrevista da empresa Oracle

For my previous question I gave the answer to be a combination of session object at the server side and using encoding for securing sensitive information. Then, interviewer asked that, Session object also uses cookies/url re-writing for maintaining the state based on the client browser settings, then how is it secure? as you said that cookies are at client side and URL re-writing has its own problems like following any link to outside application and then coming back to the application which will not have the encoded user state in the URL?