In my previous article I discussed about using DWR inside Liferay Portlets, I wasn't happy with security this model provides. First lets have a look at what I proposed ThemeDisplay themeDisplay = (ThemeDisplay)portletRequest.getAttribute(WebKeys.THEME_DISPLAY); portletRequest.getPortletSession().setAttribute("THEME_DISPLAY", themeDisplay, PortletSession.APPLICATION_SCOPE); I was executing the above code inside my portlet's doView() and this puts themeDisplay or remoteUser object into portlet session's application scope, that means my DWR classes access the object like this @RemoteMethod public String echo(String msg, HttpSession session) { ThemeDisplay themeDisplay = (ThemeDisplay) session.getAttribute("THEME_DISPLAY"); } The problems what I see in the above technique is User can access DWR methods even after his portlet session ends, since DWR Session and portlet session are different Inverse of the above, A