System.Runtime.Serialization.SerializationBinder Class

Allows users to control class loading and mandate what class to load.

See Also: SerializationBinder Members


public abstract class SerializationBinder


During serialization, a formatter transmits the information required to create an instance of an object of the correct type and version. This information generally includes the full type name and assembly name of the object. The assembly name includes the name, version, and strong name (see [<topic://cpconStrong-NamedAssemblies>]) hash of the assembly. By default, deserialization uses this information to create an instance of an identical object (with the exception of any assembly loading restricted by the security policy). Some users need to control which class to load, either because the class has moved between assemblies or a different version of the class is required on the server and client.

System.Runtime.Serialization.SerializationBinder can also be used for security. There might be some security exploits when you are trying to deserialize some data from an untrusted source. The binder gives you an opportunity to inspect what types are being loaded in your application domain. You can then either maintain list of denied types or a list of allowed types and restrict which types are being loaded and instantiated. In addition you should be mindful of what information is being put out on the wire, you may want to secure (use transport or message security) when sending type names or other data on the wire.


Only use System.Runtime.Serialization.SerializationBinder if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.

This is an abstract base class. All binders extend this class.


Namespace: System.Runtime.Serialization
Assembly: mscorlib (in mscorlib.dll)
Assembly Versions: 1.0.5000.0,,