The state for a stateful session bean is maintained as fields in the object.
If the container has to passivate the bean (maybe it has to make "room" for other more active beans), it might serialize the thing to a file on disk. Before the client uses it again, it will be deserialized and the bean activated. But all you care (as the developer) is that you wrote an object and the data is referenced by fields.
But think about why you are using stateful session beans. They can be misused and put a burden on the server.
Just because it has "session" in its name does not mean it is anything at all like the http session object. It is not a replacement.
I usually prefer to keep the ejb's api stateless, and let the client keep the state. If the client is a webapp, this means the client's state is in http session. If the client is a
java program, it means keeping the state in that program's memory.