The main difference, in Rails 3, is that when you use cookie[:foo] = 'bar' the user is able to see the value for the cookie, i.e. 'bar'. When you use session[:foo] = 'bar' the value will be encrypted by rails and stored in the _myapp_session cookie.
You would use the cookie[] format when the information you want to store is not bound to the session, e.g. when the users selects the preferred language.
You would use the session[] format when you want to store information that is related to the current session, e.g. the id of the the user.
From Rails 4 cookies became encrypted by default.