Session itself is stored on the server side. Each browser accessing the server will get from the server unique Session ID. This Session ID browser sends to each page requested to the same server. So on client (browser) side, only Session ID is stored in the browser cookie (this is default behavior, when session cookies are enabled in the browser settings… there is also a technique called “URL rewriting” to embed SessionID as URL query parameter, each time the server is called, enabling the application to work even if browser session cookies are disabled – but, it is not so important for the basic session understanding)
So, in order that session for a browser works, the browser sends Session ID to each page being accessed on the same web site. Application server (web site server) finds the saved objects related to that Session ID in the session store (memory/disk/database…) on the server side and could work with those objects when processing the JSP page. Meaning – session objects data is stored on the server side.
The behavior you have experienced by executing “test1.jsp” after application restart is related to some other thing: The application servers (e.g. Apache Tomcat) have a possibility to persist the sessions after the server goes for restart and bring them back when the server is restarted again. The server actually serializes session objects from memory to disk (when going to restart) and deserializes them back from disk to memory afterwards (when restarting again).
If you stop the server and than start it again (not restart), those session objects will be most probably lost, and by executing “test1.jsp” in the same browser window again will give you null.