Back to Security Pattern Catalog

Security Session

Classification Key : Core Security, Information Disclosure


Many web based transactions require the user to browse through multiple web pages. Normally the user logs in at the start of transaction and then follows multiple web pages. Different components acting on behalf of a user might need to know, which user is activating them and what are the user’s permissions. Having every individual component or program within the system identifying, authenticating and authorizing users is annoying to both users and developers. In addition, system components might call each other or work together and thus need a way to share information regarding the user without compromising this ‘global’ data to other users. How can the user data be shared between components ?


Create a session object, that holds all of the variables that need to be shared by many objects. Associate every action of the user with the session.

Known Uses

Cookies in HTTP protocol.

Related Patterns

Single Sign On, Policy Enforcement Point, Integration Reverse Proxy, Front Door


Wiley Book


Single Sign On, Session


Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz