Menu
I'm hearing that some people believe storing info on the server in a session is a bad idea, that its not secure.
As a result, in a multi-page business process function, the application is writing data to a db, then retrieving the info when its needed.
Is there something necessarily unsafe about storing private info in a session?
957
There's not a security risk in storing attributes in a Session, as long as the session itself is safe from hijacking.
There are some serious issues involving concurrency and sessions. Since its extremely common for multiple threads to be making requests concurrently for a single session, you have to make sure that the objects you store in a Session are thread safe. Either make them immutable, or make them thread safe with memory barriers like synchronization. I highly recommend an article on the subject by Brian Goetz.
150
HTTP sessions themselves aren't inherently unsafe. However, depending on your application server / container, the mechanism in which session cookies are passed back to the browser (and lack of transport layer security - SSL) can allow malicious parties to perform a variety of attacks (cross-site scripting, session hijacking, etc.). I would spend some time researching these things along with SQL injection to understand the full ramifications of using HTTP sessions. If your application runs within a firewall, there are often much bigger security risks than this one, such as social engineering.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
