Where are the Java HttpSession attributes stored?

Question

Are the objects serialized and sent to the user and back on each connection (stored in cookies) ?

Or are they stored in the server heap and the cookie is only a very sma

Answer 1

The cookie just contains a session identifier (typically called JSESSIONID). The server maps this identifier to whatever data is currently stored in the user's session.

The data itself may be stored in memory, or it may be serialized to database or to file depending upon what server you are using and its configuration.