Of course they are stored in session object in server. Container keeps track of session using Session Ids (which is sane as passed between browser and server). Imagine a Hashtable having session ID as key and HttpSession object as value. its similar to that. Though its not necessary to know the internal workings of container. When you maintain session table ( incase you maintain session at application level) , this is one such way to implement it.