The only 'state' thing in a web application is what's stored persistently somewhere (like a database), the web request-response flow is stateless. It takes from or puts to the persistent storage so it behaves like as if it's stateful. IMHO, session and cookie are included in this persistent storage.
