I don't really think that's always true, if the cookie merely has a session ID then the session itself can be stored server-side (not necessarily in memory of course) and in fact could be a resource in its own right.

Also deciding to put the session ID in a cookie not the URL is purely a pragmatic approach (e.g for security reasons).