HP Fortify : ASP.NET Bad Practices: Non-Serializable Object Stored in Session

Question

The method set_UserActiveEnvironments() in HttpContextHelper.cs stores a non-serializable object as an HttpSessionState attribute on line 47, which can damage application reliability

By default, ASP.NET servers store the HttpSessionState object, its attributes and any objects they reference in memory. This model limits active session state to what can be accommodated by the system memory of a single machine. In order to expand capacity beyond these limitations, servers are frequently configured to persistent session state information, which both expands capacity and permits the replication across multiple machines to improve overall performance. In order to persist its session state, the server must serialize the HttpSessionState object, which requires that all objects stored in it be serializable.

Why is it showing that as a vulnerability, and how do I fix it?

Answer 1

Mohanraj, maybe you've already found the solution, but below are a plausible explanation:

There are some false positive that HP Fortify indicates, and that is the why you need to analyze case by case on every vulnerability it indicates you, and that's the why it have a classification list for you analyze if the vulnerability found is a real threat or a false positive.

In this particular case, to heal the vulnerability you just need to decorate the class you are trying to transport / send to Session as [Serializable], which is higly recommendable when using session to store data inside your application.

Check on this article by Piet Obermeyer and Jonathan Hawkins which explains better the use of Serialization.

Hope this helps.