You can package up the data so that there is authentication to evaluate before you hit the serialization layer, and integrity behind that authentication.
This might be your approach if say your session cookie is based on serialized Java.
(However, most people give up on this approach - java serialization is also very inefficient space-wise, and the cookie will get too big for the browser to honor)
This might be your approach if say your session cookie is based on serialized Java.
(However, most people give up on this approach - java serialization is also very inefficient space-wise, and the cookie will get too big for the browser to honor)