1đź‘Ť
This question is a bit vague: some specifics, or even some code, would have helped.
There are two separate differences between running this as a desktop app and running it on the web. Lack of state is one issue, but it seems like the much more significant difference is the per-user configuration. You need some way of storing that configuration for each user.
Where you put that depends on how persistent you want it to be: the session is great for things that need to be persisted for an actual session, ie the time the user is actively using the app at one go, but don’t necessarily need to be persisted beyond that or if the user logs in from a new machine. Otherwise, storing it explicitly in the database attached to the user record is a good way to go.
In terms of “what happens between requests”, the answer as Bruno points out is “nothing”. Each request is really a blank state: the only way to keep state is with a cookie, which is abstracted by the session framework. What you definitely don’t want to do is try to keep any kind of global or module-level per-user state in your app, as that can’t work: any state really is global, so applies to all users, and therefore is clearly not what you want here.