2

I am using fortify web app, it's pointing an issue for the following code as the method addToSession() in stores a non-serializable object as an HttpSession attribute, which can damage application reliability.

public class DataGlob {
   String globName;
   String globValue;

   public void addToSession(HttpSession session) {
     session.setAttribute("glob", this);
   }
}

and it's recommending me to do the following.

public class DataGlob implements java.io.Serializable {
   String globName;
   String globValue;

   public void addToSession(HttpSession session) {
     session.setAttribute("glob", this);
   }
}

Do I need the code change as it recommended to me or it's good without change?

Denys Kurochkin
  • 1,360
  • 1
  • 18
  • 34
Sameer
  • 41
  • 3
  • 7

2 Answers2

1

It's recommended that all attributes to store in session are serialiable. Its not required but may be useful in future.

In order to support fail over, application servers may persist session data on disk or transfer over network so that another node in the cluster can continue servicing the session. To support this all data stored in the session needs to be serializable.

6ton
  • 4,174
  • 1
  • 22
  • 37
0

HttpSession contents should be serializable to make container able to store sessions to disk or transfer session to another node in a cluster.
So it is better to make your class Serializable to avoid later issues with serializations.

Denys Kurochkin
  • 1,360
  • 1
  • 18
  • 34
  • 1
    Having had to deal with the consequences of lazy programmers not maintaining serialisable session objects I agree with this answer completely. Just do it and save yourself or someone else some pain later. – Steve C Jan 18 '17 at 23:34