J2EE Bad Practices: Non-serializable Object Stored in Session
Weakness ID: 579 (Weakness Variant)Status: Draft
+ Description

Description Summary

The application stores a non-serializable object as an HttpSession attribute, which can hurt reliability.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Demonstrative Examples

Example 1

The following class adds itself to the session, but because it is not serializable, the session can no longer be replicated.

(Bad Code)
Example Language: Java 
public class DataGlob {
String globName;
String globValue;

public void addToSession(HttpSession session) {
session.setAttribute("glob", this);
+ Potential Mitigations

In order for session replication to work, the values the application stores as attributes in the session must implement the Serializable interface.

+ Other Notes

A J2EE application can make use of multiple JVMs in order to improve application reliability and performance. In order to make the multiple JVMs appear as a single application to the end user, the J2EE container can replicate an HttpSession object across multiple JVMs so that if one JVM becomes unavailable another can step in and take its place without disrupting the flow of the application.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class573Failure to Follow Specification
Development Concepts (primary)699
Research Concepts (primary)1000
+ Content History
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples