For example, a login cookie is “essential” and does not require consent

But don't start that php session (which sets the session cookie) before the user sends login credentials.

You are allowed a session cookie if it is for the operation of a website.

You don't need to ask permission to store a shopping cart or anything like that as a cookie.

I agree, it's not necessarily only login credentials, but could be a shopping cart. However, no shopping cart is needed until the user adds an item to it. Watching the shopping window doesn't need a cookie.

The typical practice seems to be to set a session-cookie unconditionally, to be able to store user-related data within that session, even if the user has not provided any such information.

Are you using that cookie for tracking or analytics?

If not then that's fine.