Bad Session Stores
As described in the research paper written by V.Benjamin Livshits(2005), Bad session stores occurs when objects stored in attributes of javax.servlet.http.HttpSession are not subclasses of java.io.Serializable.
As further described by Livshits, it causes issues because HttpSessions objects could be written out to disk especially when all objects stored are handled as attributes that must be serialized, if not done properly this will cause exceptions or data corruption.
What to look for in the code
- Parameters of HttpSession.set Attribute
- Control if javax.servlet.httpSession is a subclass of java.io.Serializable
V. Benjamin Livshits, "Findings Security Errors in Java Applications Using Lightweight Static Analysis" 2005 available at (http://research.microsoft.com/en-us/um/people/livshits/papers/pdf/acsac04v.pdf) Last Viewed October 3rd 2013