CRITICAL
Rule Definition
Accessing a non-serializable object as an HttpSesion attribute can result in damaging the application reliability. It could break the session replication because the deserialization will happen only for attributes stored as serializable. So it is recommended to make the class Serializable and improve the reliability of the application.
Remediation
Inherits from the class Serializable
Violation Code Sample
// Sample Code: The following class adds itself to the session, but because it is not serializable, the session can no longer be replicated.
public class DataGlob {
String globName;
String globValue;
public void addToSession(HttpSession session) {
session.setAttribute("glob", this);
}
}
Fixed Code Sample
//The java.io.Serializable class serializes the session attribute.
public class DataGlob implements java.io.Serializable {
String globName;
String globValue;
public void addToSession(HttpSession session) {
session.setAttribute("glob", this);
}
}
Reference
https://cwe.mitre.org/data/definitions/579.html
https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication
Related Technologies
Technical Criterion
CWE-579 - J2EE Bad Practices: Non-serializable Object Stored in Session
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.