41 lines
1.4 KiB
Plaintext
41 lines
1.4 KiB
Plaintext
If you have no intention of writting an ``++HttpSession++`` object to file, then storing non-``++serializable++`` objects in it may not seem like a big deal. But whether or not you explicitly serialize the session, it may be written to disk anyway, as the server manages its memory use in a process called "passivation". Further, some servers automatically write their active sessions out to file at shutdown & deserialize any such sessions at startup.
|
|
|
|
|
|
The point is, that even though ``++HttpSession++`` does not ``++extend Serializable++``, you must nonetheless assume that it will be serialized, and understand that if you've stored non-serializable objects in the session, errors will result.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,java]
|
|
----
|
|
public class Address {
|
|
//...
|
|
}
|
|
|
|
//...
|
|
HttpSession session = request.getSession();
|
|
session.setAttribute("address", new Address()); // Noncompliant; Address isn't serializable
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A04_2021-Insecure_Design/[OWASP Top 10 2021 Category A4] - Insecure Design
|
|
* https://cwe.mitre.org/data/definitions/579.html[MITRE, CWE-579] - J2EE Bad Practices: Non-serializable Object Stored in Session
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|