...
The non compliant example above can be resolved by using the HttpSession class HttpSesssion class within the javax.servlet.http package ?to store user information as opposes opposed to cookies. Since HttpSession objects are server-side, it is impossible for an attacker to gain access to the session information directly through cross-site scripting attacks. Instead, the session id of the user is stored within the cookie as opposed to any excess or sensitive information. As a result, the attacker must first gain access to the session id and only then do they have a chance of gaining access to a user's account details.
...