I think we are achieving the third one(Session Object) by using other three (URL rewriting, hidden variable and cookies ).
Session object will hold all the values related to user session and we may have some id kind of things (JSessionId).
The client will send the ID thro Cookies or URL Rewriting or Hidden variables. Thro� that ID , the server will fetch the session Object.
The simplified version is ,
If a session is required , Container will create a Session object and assign a ID to it. The send the ID to the client thro� Cookies or URL Rewriting or Hidden variable (I think now a days we are not using the third one).
From the next request onwards from the same client you will get the ID. Using that ID, that server will fetch the corresponding session object and do whatever it need.