Rule Definition
Although not required, it is helpful if objects placed in session scope implement Serializable. The application server may serialize session objects after crossing certain memory limit. Also, when a server restart some we containers provide "session failover", in which session data is not lost during a restart. In these cases, the web container will attempt to serialize all data stored in session scope, in order to recover the data after. This will work only if such data implements Serializable.

Remediation
Implement serialization if your web container implements such mechanisms or ignore it in others cases.

Violation Code Sample

Sample for JSF:
----> faces-config.xml:
<managed-bean>
    <managed-bean-name>myBean</managed-bean-name>
    <managed-bean-class>com.cast.MyBean</managed-bean-class>
    <managed-bean-scope>session</managed-bean-scope>
</managed-bean>

----> myBean.java:
// VIOLATION: the class associate to a backing bean 
// does not implement the interface Serializable
public class MyBean {
    // Properties
    private String name;

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }
}

Fixed Code Sample

----> myBean.java:
// FIXED: the interface Serializable is implemented
public class MyBean implements Serializable {
    // Properties
    private String name;

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }
}

http://www.javapractices.com/Topic110.cjp http://www.precisejava.com/javaperf/j2se/Serialization.htm