You got it on the second guess.

你猜对了。

The cookie contains a JSESSIONID. That id is used to look up the user's HttpSession in a map that the server maintains. At least this is the most common way. There are more intricate ways that the server can implement this, but shuttling the entire state back an forth in a cookie isn't one of them.

cookie 包含一个 JSESSIONID。该 id 用于在服务器维护的映射中查找用户的 HttpSession。至少这是最常见的方式。服务器可以通过更复杂的方式实现这一点，但在 cookie 中来回传递整个状态不是其中之一。

This has some implications. First, if the server goes down, you lose session state. Second, if you have a server cluster, you need to get the user connected to the same server each time, or they will lose their session between subsequent requests. Lastly, session hiHymaning becomes a possibility if someone finds a way to copy someone else's JSESSIONID and replace theirs with it.

这有一些影响。首先，如果服务器出现故障，您将丢失会话状态。其次，如果你有一个服务器集群，你需要让用户每次都连接到同一个服务器，否则他们将在后续请求之间丢失会话。最后，如果有人找到一种方法来复制其他人的 JSESSIONID 并用它替换他们的 JSESSIONID，会话劫持就成为可能。

The cookie just contains a session identifier (typically called JSESSIONID). The server maps this identifier to whatever data is currently stored in the user's session.

cookie 只包含一个会话标识符（通常称为JSESSIONID）。服务器将此标识符映射到当前存储在用户会话中的任何数据。

The data itself may be stored in memory, or it may be serialized to database or to file depending upon what server you are using and its configuration.

数据本身可能存储在内存中，也可能序列化为数据库或文件，具体取决于您使用的服务器及其配置。