Before core version 4.0 the authentication depended only on cookies.
Starting with 4.0 core introduced its own sessions (WP_Session_Tokens
) to better handle security things. Note that these are not PHP sessions, they are implemented purely by WordPress and use user meta as storage.
Unfortunately I don’t think there is any clear documentation for this feature. From quick search it was discussed and implemented in ticket #20276 Tie nonces and cookies to expirable sessions.