== Why is this an issue?

`HttpSession` s are managed by web servers and can be serialized and stored on disk as the server manages its memory use in a process called "passivation" (and later restored during "activation").

Even though `HttpSession` does not extend `Serializable`, you must nonetheless assume that it will be serialized.
If non-serializable objects are stored in the session, serialization might fail.


=== Noncompliant code example

[source,java,diff-id=1,diff-type=noncompliant]
----
public class Address {
  //...
}

HttpSession session = request.getSession();
session.setAttribute("address", new Address());  // Noncompliant; Address isn't serializable
----

=== Compliant solution
[source,java,diff-id=1,diff-type=compliant]
----
public class Address implements Serializable {
  //...
}

HttpSession session = request.getSession();
session.setAttribute("address", new Address());
----

== Resources

* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* CWE - https://cwe.mitre.org/data/definitions/579[CWE-579 - J2EE Bad Practices: Non-serializable Object Stored in Session]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make "xxx" serializable or don't store it in the session.


'''
== Comments And Links
(visible only on this page)

=== on 27 Feb 2015, 21:11:59 Freddy Mallet wrote:
@Ann, we can link this rule to http://cwe.mitre.org/data/definitions/579.html[CWE-579]: "J2EE Bad Practices: Non-serializable Object Stored in Session"

=== on 15 Feb 2016, 19:12:14 Ann Campbell wrote:
This maps to https://www.securecoding.cert.org/confluence/x/EYDeBw[CERT MSC08-J.] but I'm not adding a reference field value or a See entry because the CERT version is currently a stub.

endif::env-github,rspecator-view[]