Reputation: 77
String Serialization in .NET
I am currently performing a secure code review of Fortify reported issues and segments of code flagged relates to current session state being stored in memory. By default, the framework .NET automatically stores all HttpSessionState objects, its attributes and any object they reference in memory. This implementation limits active session state to what can be accommodated by the system memory of a single machine.
In order to improve performance, it is recommended to mark all objects serializable to expand capacity.
While all steps have been taken to make all these objects Serializable, the fortify scanning tool still flags some string variable as vulnerable.
My question is: Are string variables not serialized by default? or I need explicitly mark these variables "Serializable"?
Upvotes: 6
Views: 2247
Answers (1)
Reputation: 201
It's a false-positive detection. String type does not implement ISerializable which (I think) is the reason why Fortify complains. But String is decorated with the [Serializable] attribute as can be seen here: https://learn.microsoft.com/en-us/dotnet/api/system.string and typeof(string).IsSerializable returns true, which gives you enough evidence to request an exemption. Hope it helps.
Upvotes: 9
Related Questions
- How to serialize an object in MVC 5 Razor view
- Form serialization in c#
- Serializing Model Data
- How can I send data in MVC4 using Serialization?
- ASP.NET MVC - Serializable
- Json serialization in asp.net mvc c#
- How to serialize IList<object> to string
- How do I process a serialized string in ASP.NET MVC?
- How to use serialized data in asp.net mvc and C#
- Serialization in asp.net