If you have no intention of writting an ``++HttpSession++`` object to file, then storing non-``++serializable++`` objects in it may not seem like a big deal. But whether or not you explicitly serialize the session, it may be written to disk anyway, as the server manages its memory use in a process called "passivation". Further, some servers automatically write their active sessions out to file at shutdown & deserialize any such sessions at startup.


The point is, that even though ``++HttpSession++`` does not ``++extend Serializable++``, you must nonetheless assume that it will be serialized, and understand that if you've stored non-serializable objects in the session, errors will result. 


== Noncompliant Code Example

----
public class Address {
  //...
}

//...
HttpSession session = request.getSession();
session.setAttribute("address", new Address());  // Noncompliant; Address isn't serializable
----


== See

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A4] - Insecure Design
* https://cwe.mitre.org/data/definitions/579.html[MITRE, CWE-579] - J2EE Bad Practices: Non-serializable Object Stored in Session


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]