I think the title is quite descriptive. The java sessions. Are they stored on the client side or on the server side? If it is stored on the client side (in the web browser), do they run the risk of being edited? If so, what countermeasures can be taken?
I have to use sessions to save information that, if modified by external agents, would allow the user to access restricted places. Hence the question.
I hope to help you with this concept.
For me the sessions are not stored anywhere, they are created, so it serves to store information between different HTTP requests, these are the GET and POST so it will travel until the end of the client's request or as well You can destroy it.
I understand that you want to restrict access to certain parts of your website, this can be done very well with a Java Filter and right there you can assign the session with the information you want to be shared from then on.
Greetings !!