Is there any difference between using a cookie and using a normal header in the case of HTTP communication?
That is more a software development question and likely to attract better answers on the StackOverflow, Software Engineering or possibly the security SE sites.
But the most simple answer is that a header is set by the client and generally static, like for example including a particular API token with every request.
Sessions and cookies get set by the server. The later gives the server more control and arguably better security. The server can expire them while not invalidating the actual credentials with which you authenticate, making you re-authenticate (for example always after X hours or some idle time) or change their value to prevent session high jacking or replay attacks.