The biggest limitations of sessions are their lifespan and their portability. You should be prepared for session data to disappear when a user's session expires, and be aware that session data is not available in other instances. It might be good to abstract your session storage into your own get/set functions so that you can switch out your storage mechnism in the future. Another tip for future proofing is to try to only store data that can be serialized via Object.toJson(). That way if you switch to database or cluster shared maps you will be ready.