Yes, it's stored in memory. Some
servlet containers write sessions to disk during a restart, but not during normal operation.
Why would you as the application developer care about where the sessions are stored, or want to interfere with a mechanism that is working fine?
Indeed, the content of sessions is not thread-safe unless you take precautions to make it so. That's generally not a big deal, because sessions are normally restricted to single users. So the "many client" scenarios you describe should not happen.