Is it inadvisable to store a hashed password in session?

Question

Is it inadvisable to store a hashed password in a user object in (server-side) session? It goes without saying that a salted and hashed password needs to be retrieved at some point to compare the hash to authenticate a given user, but once the comparison has taken place is there a quantifiable security risk associated with keeping it in the user object?

---

Given the discussion in the comments, the gist of the question was that password and hash data would be stored in the user object with the rest of the user data once retrieved from the database in a single, clean call. I understood before posting the question that of course there is a risk, but is it viable enough to warrant implementing a framework to clear it from the user, or would doing so just amount to good practice?

---

Given the responses, what I believe to be the best solution is to have a credentials object containing the password and salt that is associated with the user by ID but not stored directly in it.

When a user attempts to log in, the user object (which contains no password data) is retrieved from the database by email/username. The ID is then read and used to retrieve the associated credentials object. Password verification can then take place. If the password is correct, the user is put in session and the credentials object destroyed.

The result is a user object free of password data, so any potential associated security risks (however minimal they may be, as discussed in the question) are avoided. The other upshot is that there is no manual clearing of password data from the user object before its use. This is a more reliable system than requiring the data to be cleared each and every time, and if EF or a similar technology is being used there is no risk of accidentally erasing password data when the object's changes are pushed to the database.

Answer 1

Personally I don't see any reason not to. If the salted hash is secure, storing it in the server-side session shouldn't be any less secure than storing it in the database.

After all, the whole point of using a good salted hash is that even if your database is compromised and someone obtains all the salted hashes, they still wouldn't be able to recover the actual passwords.