Is it possible to view HttpSession attributes with client side exploit?

Question

I have recently started to maintain an online system. It is using JSF with PrimeFaces for the front end, with a Java backend. JSF is a new technology for me.

During the login process the whole user table (including clear text passwords (will soon be fixed)) are loaded into a HttpSession attribute, and referenced in other parts of the system. The system has less than 50 users, so the size of data is not a big concern to me.

The fact that all the user data are riding in the session is however a concern.

Do I worry needlessly, or is there a way to gain access to this information via a client side exploit? Is there any other reasons I can put on my manager's table as justification for a urgent rewrite of this mechanism?

Abbreviated code below:

login.xhtml

<p:inputText id="username" value="#{userBean.userName}" name="username"></p:inputText>
<p:password id="password" value="#{userBean.password}"></p:password>
<p:commandButton id="loginSubmit" value="Login" action="#{userBean.auth}"></p:commandButton>

UserBean.java

@ManagedBean(name = "userBean")
@SessionScoped
public class UserBean {
    public String auth() {
        // ...
        FacesContext fctx = FacesContext.getCurrentInstance();
        HttpSession session = (HttpSession) fctx.getExternalContext().getSession(true);
        HashMap<Long, UserDetail> usersMap = dbBean.getAllUserDetails();
        session.setAttribute("usersMap", usersMap);
        // ...
    }
}

Answer 1

Although comments answered your question, let's sum it up :

• Session is stored on server-side, no client hack could access these data unless it exploits security flaws from JSF implemenation, which is quite rare
• If hackers is able to hack server components, he will surely gain access to user data from db, whenever it's not stored in user session
• Your concerns are understandable, but you should focus on user code flaws or know library flaws rather than application design