The session information is cryptographically signed, so you don't have to trust it! These stateless server frameworks are just using the client as a state cache.