If you have no intention of writting an HttpSession object to file, then storing non-serializable objects in it may not
seem like a big deal. But whether or not you explicitly serialize the session, it may be written to disk anyway, as the server manages its memory use
in a process called "passivation". Further, some servers automatically write their active sessions out to file at shutdown & deserialize any such
sessions at startup.
The point is, that even though HttpSession does not extend Serializable, you must nonetheless assume that it will be
serialized, and understand that if you've stored non-serializable objects in the session, errors will result.
public class Address {
//...
}
//...
HttpSession session = request.getSession();
session.setAttribute("address", new Address()); // Noncompliant; Address isn't serializable