How to preserve data between two calls to controller methods?

Question

I have 2 JSPs: pay.jsp, confirmPay.jsp

User submits data (credit card# etc.) on pay.jsp. This data is validated at the backend and is displayed along with some other data, on confirmPay.jsp. Once he clicks on 'Confirm', the data (from the pay.jsp page) is used for billing. If he clicks 'Cancel', the payment is discarded.

The important things here are:

1. Data should be modifiable only in pay.jsp
2. Data should be preserved between the two calls

I know this question is similar to How to preserve the ModelMap between form submits?. Just wanted to know what works for situations like this, that involves sensitive information (like credit card#). Putting it in a session would mean that multiple calls in the same function will create issues.

Please help me understand what the best choice is.

Answer 1

If you're concerned about storing sensitive data in the session, then don't worry. The session is held in memory at server-side. It doesn't goes on the wire, and can't be read from the browser memory of by an intruder on the network.

If you're concerned about users having multiple opened browser tabs or frames on the same pages, and sending several payments in parallel, in the same session, then it's a very valid concern. I tend to prefer stateless solutions, so if hidden fields are an acceptable solution, then just use them to maintain state from one page to the next one. This won't cause any problem with multiple tabs. If you need to use the session to store intermediate state, then you can simply generate a unique ID (using a sequence number, for example), store the data in the session using the unique ID as session attribute, and pass this unique ID frompage to page using a hidden field. That way, multiple tabs will use different session attributes, and won't disturb each other.