5

I store user data such as name, password and email in your HttpSession with setAttribute.

I want to know if it is safe to store critical data in HttpSession.

Matt
  • 74,352
  • 26
  • 153
  • 180
mulax
  • 219
  • 3
  • 9
  • 4
    Why do you need to store the password in the HttpSession object?? – systempuntoout May 03 '12 at 22:37
  • 2
    There is no acceptable reason to store the plain password **anywhere**, be it a session, a cookie, a database, a cache (except your CPU's one :p) or anything else that is not just a short-lived variable. – ThiefMaster May 04 '12 at 06:26
  • I have no reason really to save the password, but to store other user data for quick access from jsp and el-expresion. but could also save user data in a bean. – mulax May 09 '12 at 18:28

2 Answers2

2

Try storing login information in one of the following user repositories (checking the validity while logging in):

  • In-memory (say, it could be an xml file),
  • JDBC-based,
  • LDAP-based.

It's not the full list of the authentication options.

You should at least use SSL/HTTPS for login and any other sensitive data.

Take a look at this article: http://en.wikipedia.org/wiki/Session_hijacking

And here is a nice SO discussion on that issue: What is the best way to prevent session hijacking?

Some security issues are also mentioned here: What should every programmer know about web development?

Community
  • 1
  • 1
John Doe
  • 9,414
  • 13
  • 50
  • 69
1

Ideal practice is to NEVER save passwords in any means of the application. Ideally passwords need to be saved encrypted in the DB's user table if you use db based authentication or use LDAP authentication.

After being successfully authenticated, you can keep the fields such as email and name in the http session. Its best that the username is kept (which is unique) in session and profile information has to be read from the database based on this username by performing a database read. can keep this information in a cookie to facilitate repopulating frequent visitors with some information as well.

most important thing is to NOT save passwords in hidden variables,cookies or query strings AT ALL.

any sensitive information that MUST be kept must be in a SESSION but encrypted.

Sanath
  • 4,774
  • 10
  • 51
  • 81