You're not incorrect, but that's not really the whole story either. If the thing the cookie is remembering is an authentication token, then the difference is more technologies involved than anything else. They are both "something you have", and they both provide proof of authentication to a site.

Yep but the data in the cookie was provided by the server, which had to already auth you via some means. Like a password, or a client side SSL cert.