Think of a controller as a servlet. Servlets are only loaded once, as are controllers.
You can also store state in ThreadLocals - but this should not be designed in. Having to store state in the controller is, IMO, bad design. There are always exceptions where it is necessary, but it should not be part of the design.
Think of the abstractions - a controller represents the application, an HttpSession represents the user. So where should the user's state be stored?