I want to keep the admin / user access key in the HttpSession but I don’t know if this is correct? Can the user edit his session and gain access to the administrator role?

 final HttpSession session = req.getSession(); session.setAttribute("access", access);
  • one
    If you want to experiment, then you can store an access key there (you can also use the user's id), but it’s better not to. A user sees a session like this: Cookie:JSESSIONID=A6F9A23571CBB66B795AD6F3163B9EDB , so only this identifier can be changed on the client side (but not the values ​​in the session, which changes only on the server side). - MrFylypenko
  • one
    No, not worth it. For the simple reason that you can not just take and trust the information that comes from the user. And if you check every time in the code whether this user really has such rights, then there is no sense in keeping this information in the session. But this is if this key goes to the client (I don’t know exactly how the HttpSession works). If the key is stored only on the server and is loaded by session ID, then it should be normal. - Regent
  • one
    and what is the access key? - Mikhail Vaysman
  • one
    If you find something sensible to read, then there will definitely be about the standard authorization mechanism using roles. How to restrict access by roles to pages, to method calls, how to programmatically check whether a user has a given role. - Sergey
  • one
    Read the JavaEE manual. At least learn keywords to google. Read the spring guide. It has its own secrecy, similar to yours, through filters. - Sergey

1 answer 1

You can safely save this information in HttpSession . Just remember that the session is tied to the server and if you have more than one, then you need to synchronize the session.

If the access level for the client is changed, the session will have to be reset, since it will have the old level.