界: Time and State
分散式運算與時間和狀態相關。也就是說,為了使多個元件進行通訊,必須共用狀態,並且這一切都需要時間。
大多數的程式設計師將他們的工作擬人化。他們想採用一種控制執行緒來執行整個程式,就像他們必須自己完成這項工作一樣。但是,現代的電腦可以非常快速地切換工作,並且在多核心多 CPU 或分散式系統中,兩個事件可能恰好同時發生。瑕疵急於填補程式設計師在程式執行模型與實際情況之間的差距。這些瑕疵與執行緒、處理序、時間和資訊之間的意外互動有關。這些互動透過共用狀態發生:信號、變數、檔案系統,以及基本上任何可以儲存資訊的項目。
ASP.NET Bad Practices: Non-Serializable Object Stored in Session
Abstract
將不可序列化的物件當作
HttpSessionState 屬性儲存,會破壞應用程式的可靠性。Explanation
根據預設,ASP.NET 伺服器會儲存
為了使階段作業能夠正確的進行序列化,所有應用程式儲存為階段作業屬性的物件必須聲明
範例 1:以下的類別把自己新增至階段作業中,但因為它不可序列化,這個階段作業也就不能正確也序列化。
HttpSessionState 物件,以及在記憶體中它參照的屬性和任何物件。此模型會將作用中的階段作業狀態限制為,僅由單一機器的系統記憶體來提供。為了擴充這些限制的容量,要頻繁的配置伺服器以維持階段作業狀態資訊,如此不僅可擴充容量,還可在多台機器上進行複製以增進整體的效能。為了要維持其階段作業狀態,伺服器必須序列化 HttpSessionState 物件,此作業要求所有儲存在伺服器中的物件皆為可序列化的。為了使階段作業能夠正確的進行序列化,所有應用程式儲存為階段作業屬性的物件必須聲明
[Serializable] 屬性。此外,如果物件要求自訂的序列化方法,它還必須執行 ISerializable 介面。範例 1:以下的類別把自己新增至階段作業中,但因為它不可序列化,這個階段作業也就不能正確也序列化。
public class DataGlob {
String GlobName;
String GlobValue;
public void AddToSession(HttpSessionState session) {
session["glob"] = this;
}
}
References
[1] Session State Providers Microsoft Corporation
[2] Underpinnings of the Session State Implementation in ASP.NET Microsoft Corporation
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 579
[8] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[9] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.dotnet.asp_dotnet_bad_practices_non_serializable_object_stored_in_session