One thing that you might be confusing is that client-side session storage is not the same as server-side session storage. Server-side session storage is secure, while Javascript sessionStorage is just a variation of localStorage which is a replacement for old-fashioned cookies.
Server:
https://www.w3schools.com/asp/asp_sessions.asp
Client:
https://www.w3schools.com/html/html5_webstorage.asp