SessionData as HTTP is stateless, in order to associate a request to any other request, there could be a need to store SessionData between HTTP Requests.

Cookies or URL parameters ( for ex. like http://example.com/myPage?asd=lol&boo=no ) are both ways to transport data between 2 or more HTTP Requests.

So even though the HTTP protocol may be stateless the long-term communications between a HTTP client and HTTP server are NOT.

If properly implemented, SessionData are not good in the use case you do NOT want that data to be readable/editable on client-side.

The Best Practices solution is to store that data server-side and only pass the SessionData by-reference and client only knows that reference id and that it must pass the SessionData to the server with each request.

Of course there are other aspects to consider, like you don't want people to hijack other's sessions, you want sessions to not last forever but to expire, and so on.

More Information#

There might be more information for this subject on one of the following: