Session is the most widely used PHP feature which is being used for security purpose. From beginner to expert, almost all coder feel comfort using session as for its wonderful feature (preserving data across subsequent accesses) .
But question is, where actually session data be saved? In client browser URL or in browser cookie? Or, in server?

First and simple answer is – session born in server and uses browser’s cookie to keep track (alive) by an Id. If cookie is not enabled, it parses to browser URL as variable (serialized).

Now, how can server remember the huge number of variables that is registered with session? Specially when PHP is installed as CGI wrapper, as PHP interpreter is created and destroyed for every page request.

Yes, server needs to save those data in its physical memory too.
Session creates a file to save its information at the location assigned by session_save_path() function or set by session.save_path option.

So, at the final sentence, we can say that session uses ┬ámemory – server side (physical file in session_save_path location) to save all data and client side (physical file cookie) or in URL as a variable where just a unique ID (sesssion id) is saved.