Session variables and Cookies are entirely different. First is stored in server and can not be disabled by client in any way, later is sent to browser, it is client's discretion to take it or leave it. Testing is upto you. Write a simple servlet with session and a variable. Disable cookie in your browser. Try to read session variable in another simple servlet. That's all your doubt will be clear. Maintaining information always consider to be bad practice, because it is not guaranteed to work. However choice is yours. And also if you want to keep large amount of information, it's not a good idea to store at client side. Isn't it?