SEVERE: IOException while loading persisted sessions:
java.io.WriteAbortedException:
writing aborted; java.io.NotSerializableException:
That means this object cannot be persisted on hard disk.
Does it imply that it's not safe to keep in Session objects that do not implement "Serializable"?
I haven't heard that there are limitations on saving non-serializable objects in Session object.
It simply means that Tomcat will always keep them in memory, right?
Does it imply that it's not safe to keep in Session objects that do not implement "Serializable"?
That's exactly right, yes.
However, many servlet containers will let you get away with it, if they don't actually need to do any serialization.
For example, Tomcat doesn't care if the session attributes are serializable or not, unless you enable session replication. It needs to be able to serialize the attributes to replicate them to the other servers in the cluster.
In your case, it seems that the container is trying to persist the session data to disk, which again would require serialization.
Serialization is attempted not only when objects are persisted to hard disk, but also when transferred to another node in distributed environment. Although the servlet specification does not mandate objects to be serializable it is not a bad practise to do so.
The Servlet spec defines the rules for distributing sessions (the 2.5 spec doesn't actually describe how to persist session for anything other than distributed environments, but the semantics should be the same). It is usually easiest to implement Serializable in such cases. You can also make use of the HttpSessionActivationListener interface if you want to be notified of these events.