Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2441

Non-serializable objects should not be stored in "HttpSession" objects

    XMLWordPrintable

    Details

    • Type: Bug Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make "xxx" serializable or don't store it in the session.
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, Flex, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-579
    • FindBugs:
      J2EE_STORE_OF_NON_SERIALIZABLE_OBJECT_INTO_SESSION

      Description

      If you have no intention of writting an HttpSession object to file, then storing non-serializable objects in it may not seem like a big deal. But whether or not you explicitly serialize the session, it may be written to disk anyway, as the server manages its memory use in a process called "passivation". Further, some servers automatically write their active sessions out to file at shutdown & deserialize any such sessions at startup.

      The point is, that even though HttpSession does not extend Serializable, you must nonetheless assume that it will be serialized, and understand that if you've stored non-serializable objects in the session, errors will result.

      Noncompliant Code Example

      public class Address {
        //...
      }
      
      //...
      HttpSession session = request.getSession();
      session.setAttribute("address", new Address());  // Noncompliant; Address isn't serializable
      

      See

      • MITRE, CWE-579 - J2EE Bad Practices: Non-serializable Object Stored in Session

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: