J2EE Bad Practices: Non-serializable Object Stored in Session

Description

This vulnerability occurs when a Java application stores an object in the user's session that cannot be serialized, which can break critical application features and hurt reliability.

Extended Description

Modern Java applications often run across multiple servers (JVMs) for better performance and uptime. To present a seamless experience, the application server needs to copy a user's session data between these servers, especially if one fails. This replication process requires every object stored in the `HttpSession` to be serializable—that is, convertible into a byte stream for transfer. If a non-serializable object is placed in the session, this failover mechanism breaks, potentially causing errors during server scaling or outages. For developers, this means any class whose instance is added to the session via `setAttribute()` must implement the `java.io.Serializable` interface. Common culprits include custom helper classes, third-party library objects, or database connections that weren't designed for serialization. Failing to ensure this prevents session replication, undermining the reliability benefits of a clustered deployment and leading to inconsistent user experiences during infrastructure changes.

Common Consequences 1

Scope: Other

Impact: Quality Degradation

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: Implementation

In order for session replication to work, the values the product stores as attributes in the session must implement the Serializable interface.

Demonstrative Examples 1

The following class adds itself to the session, but because it is not serializable, the session can no longer be replicated.

Code Example:Bad
Java
java

Applicable Platforms

Languages:

Java : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Following of Specification by Caller (CWE-573)

Taxonomy Mapping

Software Fault Patterns