• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Question on maintaining customer info in session

 
Dhiren Joshi
Ranch Hand
Posts: 463
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How acceptable is it from a security standpoint to maintain the customer profile information in a session so that the backend EJb or even the SLSB are not invoked for getting customer sensitive data like the credit card.
The pros are that the system doesnt need to retrieve the information from any backend systems.
The cons I am not aware ..May be security issue.

Thanks
Dhiren
 
Deepak Pant
Ranch Hand
Posts: 446
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think it is OK to keep some kind of User object in the HTTP Session once the user has been authenticated. This is a very common implementation in app servers like WebLogic & WebSphere.

A object called Subject is stored in the Session indicating the authenticated user.

But I do not think you should cache information like Credit Card details in the session. What if user logs in from a separate browser and deletes that credit card from the system.

I think as long as you provide proper assumptions, it should be fine.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic