I am not sure, I understand your answer right, madhead.
How to you run your app? Do you use Tomcat or Jetty embedded server or deploy it in those servers? They all have their own session storage implementation. Tomcat uses file-bases session storage by default.
Would you agree on:
If I deploy a spring app in a tomcat, then the default is file-based.
But if I deploy a spring app with an embedded tomcat, then the default is in-memory.