This week's book giveaway is in the OCAJP forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide 1Z0-808 and have Jeanne Boyarsky & Scott Selikoff on-line! See this thread for details.
Sessions are much like a Map that the container stores on a client by client basis in another Map. To identify which session belongs to which client the container generates a unique id, (I don't know the method that the container uses to generate the id) which it uses as a key to the Map it keeps internally of all the sessions. The id is passed to an from the client either in a cookie or as part of the request in a parameter.
When the Servlet or Jsp code requires a session attribute it gets the appropriate session object from the container (note this is already done for you in JSP's) which in turn goes to its map and uses the jsessionid cookie value (or request paramter value) as the key to get the appropriate session, which it then passes back.
The Session itself is mainly used to store attribues for a client, ie all the goods in their shopping cart, etc.
I should add that this is vastly simplified for the sake of a simple explanation.