How acceptable is it from a security standpoint to maintain the customer profile information in a session so that the backend EJb or even the SLSB are not invoked for getting customer sensitive data like the credit card. The pros are that the system doesnt need to retrieve the information from any backend systems. The cons I am not aware ..May be security issue.
posted 12 years ago
I think it is OK to keep some kind of User object in the HTTP Session once the user has been authenticated. This is a very common implementation in app servers like WebLogic & WebSphere.
A object called Subject is stored in the Session indicating the authenticated user.
But I do not think you should cache information like Credit Card details in the session. What if user logs in from a separate browser and deletes that credit card from the system.
I think as long as you provide proper assumptions, it should be fine.