[SHIRO-325] SimpleSession serializes fields twice - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0.0, 1.1.0
Fix Version/s: 1.2.0
Component/s: Session Management
Labels:
None

Description

org.apache.shiro.session.mgt.SimpleSession serializes fields twice - once via the 'writeObject' implementations' call to out.writeDefaultObject(), and again via the custom bitmask-based serialization that follows it.

The internal fields should be marked as transient to prevent this. out.writeDefaultObject should still be called for JVM security reasons, but SimpleSession's custom field-based serialization is more efficient so it should be retained. The solution is to mark all custom-serialized fields as transient.

Discussion thread here: http://mail-archives.apache.org/mod_mbox/shiro-user/201109.mbox/%3C4E81BCBD.8060909@metaphysis.net%3E

Attachments

Activity

People

Assignee:: Les Hazlewood

Reporter:: Les Hazlewood

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 27/Sep/11 22:06

Updated:: 24/Jan/12 01:11

Resolved:: 28/Sep/11 03:20