Back to Security Pattern Catalog

Secure Session Object

Classification Key : Core Security, Information Disclosure


A multi-user, multi-application distributed system needs a mechanism to allow global accessibility to the security context associated with a client session and secure transmission of the security context among the distributed applications, each with its own address space. The developer has to design a standardized structure and interface to the security context. If the context is not retained users have to authenticate for every request that they make. The contest has to be protected from malicious code that might try to use reflection to get private members of an object. Hackers could sniff the serialized session object while in transit and misuse the data. Session object information may be printed in the log file by components. How can the context be saved and routed securely?


Abstract the encapsulation of authentication and authorization credentials that are passed across boundaries into a session object. Encapsulate authentication and authorization information like credentials, roles and privileges and use them for secure transport. Replace the abstract concept with vendor specific implementation. Make sure the session object does not inadvertently expose data to non-privileged entities.

Known Uses

A Web service implementation in J2EE keeping session information.

Related Patterns

Security Session


Sun Book


Session, State


Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz