The difference between using a cookie and PHP-sessions, is that data stored in the session are only accessible from the server side script. So you can put trusted information in there.
For very large scale systems, you can set up sessions to be stored in a database instead, which makes it possible to distribute the load across multiple servers. But it's still set up and torn down on a per request basis.
The performance issue isn't the biggest problem with the use of sessions though. If you pull data out of the database and put it in session, you have two copies of the data. This is something that you generally want to avoid in software, since it leads to concurrency issues. With web applications, the problem is even greater. The nature of the web is stateless, but if you store application state in sessions, you break this feature. This means that your users can't bookmark pages, or use the back-button of the browser. You may also get unexpected behaviour if the user has multiple windows open to the same application. As a general rule of thumb, try to minimize use of sessions, and try to use query-parameters to maintain application state.
On the flipside - If your application is completely stateless, it's very easy to appply caching techniques on top of it.