Just extending the answer of kolossus. Most of Servlet Containers like Tomcat may use an strategy of storing the Session data to physical memory, in case if restart or web app reload.

Well the usual way to store/persist Java instances/Objects is using ObjectoutputStream, which indeed requires the Object/instance to be persisted, to implement the Serializable interface.

You can see that its mentioned in Tomcat docs that:

Whenever Apache Tomcat is shut down normally and restarted, or when an application reload is triggered, the standard Manager implementation will attempt to serialize all currently active sessions to a disk file located via the pathname attribute. All such saved sessions will then be deserialized and activated (assuming they have not expired in the mean time) when the application reload is completed.

Link for doc.

@SessionScoped beans are ultimately stored in the user's HTTP session.

This means that when a Java EE deployment implements a session preservation scheme (for example, tomcat will attempt to save current sessions to a .ser file on server shutdown, if the deployer so chooses), those session-scoped beans would also be part of the payload that will be persisted.

A session scoped bean that isn't serializable becomes a problem here as it renders the entire HTTP session that it is a part of, un-persistable (any attempt to serialize an object that contains an unserializable member will cause a NotSerializableException, except with some special handling)

Incidentally, that means that even if your session-scoped bean implements Serializable, all its member variables must either be serializable or be marked transient.

In short, the entire object graph of a given HTTP session that is liable to be persisted via serialization, must either be marked as serializable or transient

Read more:

• Why does Java have transient fields?

• JavaBean recommendations on serialization