Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m hearing that some people believe storing info on the server in a session is a bad idea, that its not secure.
As a result, in a multi-page business process function, the application is writing data to a db, then retrieving the info when its needed. Is there something necessarily unsafe about storing private info in a session?
There’s not a security risk in storing attributes in a Session, as long as the session itself is safe from hijacking.
There are some serious issues involving concurrency and sessions. Since its extremely common for multiple threads to be making requests concurrently for a single session, you have to make sure that the objects you store in a Session are thread safe. Either make them immutable, or make them thread safe with memory barriers like synchronization. I highly recommend an article on the subject by Brian Goetz.