Currently our User instances are being stored in the HttpSession. Normally this is a bad idea because if that User is updated in the database the only way that the User instance in the HttpSession will be updated is when the User logs out of the system and then logs back in.

We have seen this issue manifest itself in several ways:

GTWY-1364 - Users that are logged in and apply for membership for a specific group, if they are logged in when their membership is approved the user will still not be able to access the group data until they logout/login.

GTWY-1408 - Unable to stop renegade system admins. If an admin is logged into the system and performing malicious actions, we wouldn't be able to update their permissions to stop them. We would have to actually shutdown the system, manually update the database, and then restart the system.

To add to the group membership issue above (GTWY-1364) if a User attempts to update their account information (password, username, apply for more group memberships), etc... AFTER their account has been updated by an administrator of the system the User will receive an Exception because their hibernate index will not be correct.