If you are using cbSecurity (which it looks like you are) then you can get it via.

auth().getuser()

in your handlers. You should not access the session scope at all to get it.

Thank youuu!