VariantDraft

CWE-579J2EE Bad Practices: Non-serializable Object Stored in Session

Category: auth

Description

The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability. A J2EE application can make use of multiple JVMs in order to improve application reliability and performance. In order to make the multiple JVMs appear as a single application to the end user, the J2EE container can replicate an HttpSession object across multiple JVMs so that if one JVM becomes unavailable another can step in and take its place without disrupting the flow of the application. This is only possible if all session data is serializable, allowing the session to be duplicated between the JVMs.

Common consequences· 1

  • Other — Quality Degradation

Potential mitigations· 1

  • [Implementation]In order for session replication to work, the values the product stores as attributes in the session must implement the Serializable interface.

References

  1. https://cwe.mitre.org/data/definitions/579.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
EJB Bad Practices: Use of Synchronization Primitives
CWE
J2EE Framework: Saving Unserializable Objects to Disk
CWE
EJB Bad Practices: Use of Class Loader
CWE
EJB Bad Practices: Use of Sockets
CWE
EJB Bad Practices: Use of AWT Swing
CWE
EJB Bad Practices: Use of Java I/O
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.