I have read that everytime an HTTP request is made to tomcat for a servlet it creates a new HTTPRequest Object and using that request object we can access session object and store information. This session object stores the information across multiple requests.
I want to understand if tomcat is creating a new HTTPRequest object for every request coming from a browser, then how it is able to attach same session object across multiple requests?
Apache is a servlet container. The servlet container is attached to a webserver which listens on HTTP requests on a certain port number, which is usually 80. When a client (user with a web-browser) sends a HTTP request, the servlet container will create new HttpServletRequest and HttpServletResponse objects and pass it through the methods of the already-created Filter and Servlet instances whose URL-pattern matches the request URL, all in the same thread.
The request object provides access to all information of the HTTP request, such as the request headers and the request body. The response object provides facility to control and send the HTTP response the way you want, such as setting headers and the body (usually with HTML content from a JSP file). When the HTTP response is committed and finished, then both the request and response objects will be trashed. Source : https://howtodoinjava.com/server/tomcat/a-birds-eye-view-on-how-web-servers-work/
First of all, it is important to note that a servlet container does not necessarily create a new instance of HttpServletRequest for each request.
Tomcat, for example, recycles existing instances of HttpServletRequest as a performance optimization to reduce heap allocation. After a response has been committed, it resets the internal state of the existing HttpServletRequest instance and reuses that same instance for the next request. Same thing for the HttpServletResponse instance.
As a consequence, since this object is not immutable it's critically important to make sure that a HttpServletRequest object is not referenced anywhere outside the lifecycle of a single request.
To answer the OP's question: the HttpSession object is not something that's stored in a field of HttpServletRequest. HttpServletRequest.getSession() is just an API method, and the servlet engine typically implements it by retrieving the HttpSession from the session storage mechanism using the session ID provided by the request.
HttpSession will be returned for subsequent requests connected to the same session (see this question)
Although the HttpRequest object is created for each request the HttpSession object is persisted between the requests. The session is identified by JSESSONID cookie or request parameter (in case cookies are disabled) as explained in this answer.
As per Servlet 3.0 Specification:
HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.
