The implementation of Session is vendor specific. Of course, it needs to comply the interface specified in the servlet API. It is in the Memory.
But it can be serilaized to the hard disk. Because you Never, Never, Never transmit the session to the Internet, it seems to me there is no security problem.
By the way, pls use session.setAttrbute(), session.getAttribute(), session.removeAttribute(). session.getValue has been deprecated.