Technically these aren't
Struts questions, they're generic regarding security.
Users don't have direct access to session objects (unless you give them access to them, anyway, but that would be unusual). Unless someone has access to the server and can access session memory somehow, it's secure enough.
By re-validating the credentials do you mean checking against the DB to see if the password is still correct? Unless someone on the server-side changes the password in the DB without changing the password of the user object in session, this is (essentially) impossible.
It is, however, possibly reasonable to check if that user is still allowed access to the system--for example, if an employee quits some employers will *immediately* lock them out of the system to prevent them from accessing now-sensitive data. If your application has that kind of requirement then it *might* be reasonable to continuously check for access rights.