Are sessions created on the server side?
A servlet session is created and stored on the server side. The servlet container keeps track of all the sessions it manages and fulfills servlet API requests to get HttpSessions, manipulate object data stored with them and trigger event callbacks.
To the maintain the session, Web clients must pass back a valid session identifier as a cookie header value or dynamically generated URL parameter. In this sense, the session is also stored by the client, but only as a token reference.