AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Using Non-Serializable Object in Session

The server state may go unreliable being not able to save the user sessions

Severity

Medium

Fix Cost

Low

Trust Level

High

The session in server memory is implemented to store server-side variables that are wanted to be accessed through multiple requests of the related users.

The objects in the session may be any type including instances of custom implemented classes. When the memory reserved for the sessions is not enough, it is a popular implementation to use persistent storage for these objects. This means marshalling and unmarshalling these objects at runtime.

In order to be able to marshall an object it and all of its cascading property objects should implement ISerializable interface. When the session object (HttpSessionState) includes a custom object not implementing Serializable interface marshalling and then the persistent storage fails putting the application in an unreliable state.

The session in server memory is implemented to store server-side variables that are wanted to be accessed through multiple requests of the related users.

The objects in the session may be any type including instances of custom implemented classes. When the memory reserved for the sessions is not enough, it is a popular implementation to use persistent storage for these objects. This means marshalling and unmarshalling these objects at runtime.

In order to be able to marshall an object it and all of its cascading property objects should implement ISerializable interface. When the session object (HttpSessionState) includes a custom object not implementing Serializable interface marshalling and then the persistent storage fails putting the application in an unreliable state.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!