Context: Web Application – Java, Spring MVC, Spring Security

What is not transparent to me is what information to store/how to perform certain actions in web application(don’t take passwords in consideration of course), for example I can:

1. Retrieve user(db request) and store user details in a session.
2. Just retrieve user id(db request) and store it in a session and fetch it to DAOs when needed. Is it safe to store user ids in sessions?
3. Request-scoped. Not to store anything in session.(of course spring still stores security details in there) If User requested action – determine if authenticated(?+role), determine its id(db request), fetch it to DAOs. If user requests this action again steps will have to be repeated.

Assuming if my db tables always have int id as a primary key. Login name is just unique. And please don’t be confined to my 3 approaches, these are really simple examples, I am talking about data storing/persisting(please don’t associate ORM with this word in this context) which is combination of db requests and is used for DTO on server-side in web application.

What I think is that the more details I store in a session(or across requests), the easier for me to manage it plus less requests to database. If I keep these details in a form not identifying particular user, then there should be no problems? For example if I store “id = 5 ; fruit_id[]=1,4,7;(sorry if syntax is wrong) say in session”, it doesnt really sound identifying if security is breached?