is there a way to work with sessions or cookies without a database?

The database is used as a data repository. Any other form of repository can serve. A .txt or a .json are useful enough. For example you can have keys.json

 { "pepe": "xkdkasdfjasdfsfasdf3234asfd",
   "claudia": "jasfasa39939d98asv88hz8d8f"
 }

And instead of searching the database, look in the .json file

 $claves_json = file_get_contents("claves.json");
 $claves = json_decode($claves);
 //... obtener del cliente $usuario y $clave luego:
 if($clave == md5($claves[$usuario])){
     // ok, entrda correcta
 }else{
     // mal, 
 }

md5

Never flat key stores in a database or in a txt. We must try to maintain the privacy of the user. Many people use the same key for many sites, saving the key without hashing (for example with md5) can be a security problem if someone hacks the site and takes the database or the key file.

As you have been told, never save passwords in plain text, but I also do not recommend md5 since there are thousands of "translators" of md5, used in php hash

<?php
/**
* En este caso, queremos aumentar el coste predeterminado de BCRYPT a 12.
* Observe que también cambiamos a BCRYPT, que tendrá siempre 60 caracteres.
*/
$opciones = [
  'cost' => 12,
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $opciones)."\n";
?>

source: link

The login form, when sent, can go to an intermediate file, for example door.php, which has no screen output. In this file you receive the data of the form and you compare them with the user and password strings that must be right there in the door.php. If they match, you make a header location to home.php. If they do not match, you can return it with another header location to the form with a message. To secure the home.php file you can do a lot of things, such as requiring a session variable that was created in the door.php, or a conditional that makes if the home.php does not have a referral (a page that called it), destroy the session and send it to the login.