'an app is not supposed to have state. State should be kept in the data layer where the database is'
There are designs where this is the norm, aptly called 'stateless architectures'. Whether every architecture should be stateless is of course doubtful and the very term is perhaps opens to debate as well.
Most "stateless" applications in fact do have state, but as the rule above states (no pun) this state is kept in one global place; the database. As Peter mentions, the reasons for this might be maintainability and simplification, but it's also often heard that this is for scalability
. Without state appearing anywhere but in the database, it's thought to be easy to add additional front-end servers, processing servers, and what have you.
While this has some merit indeed, I think we do have to make a distinction between temporary state and authoritative state.
Temporary state can be something like the place you are in an ordering process and the details you have already entered. In Java EE, you could keep this around in e.g. @ConversationScoped beans, or @Stateful beans. This is thus state that you keep inside the web layer resp. business layer.
The advantages of this are ease of use, performance and unloading your single central database. Sure, you can store temporary state in your central database as well, but you probably want to keep this away from the regular, non-temporary data, which means some additional programming complexity is needed. It's also typically much faster to retrieve data from the web layer, and it removes some load from the database.
In many systems there's only a single master database (a database accepting writes), so this single database might become a huge bottleneck in that setup.
Depending on your actual architecture and setup, not keeping temporary state in the database -may- actually improve your ability to scale.
The disadvantages are that you do need your client to stick to the single server on which the temporary state is currently kept. This is typical called 'sticky sessions'. If the one server where this client is interacting with fails or needs to be restarted or whatever, the client will loose this temporary data. There are some schemes like replicating state to all nodes in a cluster or to nearby nodes (buddy replication), but this is making things complicated again and may overload the network (if all nodes are constantly replicating to each other).
Authoritative state means it represents shared data that is the sole source of information. This kind of state is something we almost always like to have at a central location, but sometimes you'd see it being stored in e.g. a web node.
For example, suppose we have a list of recent prices, and instead of persisting this to a central location we keep it on the web node where it was entered. Now there's a concept of the "one and only" web node that has this information and other servers may start assuming there's only this "one and only" web node. Adding additional nodes is now impossible, since it breaks this assumption.