I'm wondering, are there any guidelines or best practices on when to use sessions and cookies? What should and what should'nt be stored in them? Thanks!
Only data that identify the session and non-security-sensitive user preferences.
A primary rule of writing secure apps is that a hostile party can easily modify data before returning it to you. Therefore you should not assume that any values submitted from a client are safe to use without validation. A standard technique is to hold data on the server and only exchange a key, constructed in a way that you can check for modification. (I.e. don't use the user ID or account number, as a hostile client could systematically manipulate such a value to try to retrieve data from other users or sessions.)
These documents are a good read on security problems with session cookies, and how to get around them.
In summary, you keep a secret key on the server. With this key you can calculate a secure hash over the secret key, a time stamp, and any data you want in the cookie. You include the secure hash, the time stamp and the data in the cookie.
When you receive a request you can validate that you get the signature expected. So nobody have tampered with the cookie contents.