This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Of course they are stored in session object in server. Container keeps track of session using Session Ids (which is sane as passed between browser and server). Imagine a Hashtable having session ID as key and HttpSession object as value. its similar to that. Though its not necessary to know the internal workings of container. When you maintain session table ( incase you maintain session at application level) , this is one such way to implement it.