After login, a subject's state (principals, authentication state, etc) are bound to the Subject's session. This allows Shiro to reconstruct the Subject instance later on by acquiring a Session (e.g. by id) and reconstructing the Subject based on the Session's state.
In stateless environments (e.g. some REST-enabled applications), it is not desirable to create a session. There should be a pluggable component that performs state binding and unbinding for subject login and logout, respectively. Stateless applications can choose to configure Shiro with a stateless binder if they don't want sessions to be created.