ASP.NET Bad Practices: Non-Serializable Object Stored in Session

问题

I have a code like

Session["key"] = "value";

But it is considered as a bad practice according to Fortify SCA with the reason of "Non-Serializable Object Stored in Session".

Screenshot as below:

What is the best way to solve this? How to make the string "value" to be serializable?

回答1:

I think it's a false positive.

From Fortify document:

In order for the session to be serialized correctly, all objects the application stores as session attributes must declare the [Serializable] attribute. Additionally, if the object requires custom serialization methods, it must also implement the ISerializable interface.

Sine string doesn't implement ISerializable, it will not pass the check.

来源：https://stackoverflow.com/questions/51624267/asp-net-bad-practices-non-serializable-object-stored-in-session