The help for action=login says
"Log in and get the authentication tokens. In the event of a successful log-in, a cookie will be attached to your session. ..."
In fact, the first API result contains ONE token, and then if you provide this token and login is successful, you get a sessionid back in the API response, and the HTTP response header sets three cookies:
<cookieprefix>UserID <cookieprefix>UserName <cookieprefix>Token, set to the sessionid in the API result
these all expire in a month, none is a session cookie.
A better description for includes/api/ApiLogin.php might be
Log in and get sessionid and browser cookies. A successful login returns a session ID and its HTTP response header sets wiki cookies identifying the user. ...
Even this might vary with wiki configuration.