Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Where is servlet HttpSession stored?
Is it safe to store sensitive information in HttpSession attributes.
Can user maliciously modify session attributes?
Where HttpSession is stored depends on the application server implementation and the configuration selected by the deployer. Usually it is stored in memory, but many application servers allow you to persist it in a database. In any case the session is stored in the server and not in the client.
If as user you mean the client, then it is impossible for him/her to modify it, as it is stored server-side.