IANAL, but from my understanding the GDPR itself does not make this distinction. It's okay to store things to implement functionality, like login or shopping baskets. Tracking people is not okay.
Now, there was a different directive preceeding the GDPR that tried to address the rampant abuse of cookies for tracking by regulating cookies directly. The intention of that directive was good, but the implementation really bad. I think this is where this distinction comes from. I don't think I've seen a case where someone who was not doing blatantly shady things with cookies got into trouble with that directive, though.
It doesn't have to be obnoxious either - if you have a preferences page, you could add something like "we'll save these preferences in a cookie on your computer, okay?"
Now, there was a different directive preceeding the GDPR that tried to address the rampant abuse of cookies for tracking by regulating cookies directly. The intention of that directive was good, but the implementation really bad. I think this is where this distinction comes from. I don't think I've seen a case where someone who was not doing blatantly shady things with cookies got into trouble with that directive, though.
It doesn't have to be obnoxious either - if you have a preferences page, you could add something like "we'll save these preferences in a cookie on your computer, okay?"