I can explain the session cookie right now.
It's like the key to the padlock of a current period of interactivity.
Stay away too long and the padlock expires, so you need a new key, and have to login again.
Keep refreshing and working, and the padlock is "current", therefore your key is current.
If you delete that key (clear cookies), you just have to login again.
The cookie is not used for anything else and is only relevant to the instance of osticket that you've logged into. Meaning: even if the same server has multiple instances of osticket installed, you'll need to login to each one.
No other server can read the cookie, nor is any personal data stored in the cookie anyway.
If a malicious actor steals a cookie, it is only useful for a short time while the session is open. That time is configurable on the admin panel and can be locked to the IP address used to login.
In short, you could say: "This system uses a session cookie as a convenience to you. It is only used to maintain your current logged in session, you may delete it after you've logged out with no problems. By logging in you accept this."