In the documentation for app sign-in flow, the session cookie is described this way:
A cookie is saved, associated with a Microsoft Entra domain, that contains the identity of the user in the browser's cookie jar. The next time an app uses the browser to navigate to the Microsoft identity platform authorization endpoint, the browser presents the cookie so that the user doesn't have to sign in again. This is also the way that SSO is achieved. The cookie is produced by Microsoft Entra ID and can only be understood by Microsoft Entra ID. The web app then validates the token. If the validation succeeds, the web app displays the protected page and saves a session cookie in the browser's cookie jar. When the user navigates to another page, the web app knows that the user is authenticated based on the session cookie.
"The cookie is produced by Microsoft Entra ID and can only be understood by Microsoft Entra ID."
Let me know if this addresses your concerns or if you are looking for any more detail. I've also reached out to the product team to see if they can add more context around these statements.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.