Is it secure to store values in session?

I am developing a开发者_如何学JAVA web application where UserId and RoleId plays a vital role... Is it secure to store these values in session.Someother can be hiddenfield,cookie.. Which is more secured?

Any suggestion for this...

Sessions are more secure than cookies and hidden fields because they are kept on the server. Cookies usually shouldn't contain sensitive data, even encrypted, as users have direct access to them. Hidden fields are also sent to the client, but simply not displayed. Therefore, using tools such as FireBug, you can easily display this content.

There are various places you can store the session, such as in memory (if you're not using them much) or have a SQL server maintaining them. You can get more information on sessions here. Sessions are secure because of the fact that they are stored server side.

Session variables are more secure than cookies, because they're on your server, not the user's computer. Sessions aren't perfect though -- they can be hijacked by stealing the session key. Still, this is more difficult to do than just taking a cookie that's been saved on a computer.

When I need to store "vulnerable" data in session I encrypt the data before storing. The encryption options are created dynamically and are not stored anywhere so if the session ID is compromised, the hacker has no way of decrypting the data. There is a performance overhead so I only store values that need to be secure.

Session is definitely more secure than hidden fields or cookies.

The difference is the SESSION values are stored on the SERVER, and hidden fields and cookies are stored on the client.

Session would be more secure than a cookie (session is stored in memory on the server, where the cookie goes to the client).