...
The non compliant example above can be resolved by using the HttpSesssion class within the javax.servlet.http package ?to store user information as opposed to cookies. Since HttpSession objects are server-side, it is impossible for an attacker to gain access to the session information directly through cross-site scripting or man-in-the-middle attacks. Instead, the a session id of the user is stored within the cookie as opposed to any excess or sensitive informationto refer to the user's HttpSession object stored on the server. As a result, the attacker must first gain access to the session id and only then do they have a chance of gaining access to a user's account details.
...