Cookies are never encoding just like other data in the disk cache and local storage. The Primary Password is only used to encrypt login credentials stored in the Password Manager.

Sites should never store your actual login in a cookie. However, they typically store a session key that identifies your session on the server and substitutes for having to log in on every request.

If a program has direct access to your system, it could steal session key cookies and attempt to use those to jump into your current sessions. (Although, if your computer is hacked to that extent, this might not be your biggest problem.)

If there are sites where a session hijack would be catastrophic, it is important to end your session when you are done with the site by signing out of the site and waiting for the site to confirm that you are signed out. After that, the old session key is useless -- anyone presenting it would need to sign in again.

If i get this right the session key is a cookie and if the cookie is encrypted i would never have to log out because no one can get that cookie. Right? Correct me if im wrong.

The cookie itself is not protected with a password. Therefore, someone with physical access to or malware running on your computer could exfiltrate your cookies and attempt to use them for a session hijack.