The container is going to HAVE to do some kind of call back to allow the application to update the session during the upgrade. There are issues that may not be resolved simply through serializing and deserializing the class. A contrived example could be that the application injects something in to the session when a user logs in.
In the old version, this feature didn't exist. In the new version, this feature is assumed. If the application doesn't have an opportunity to upgrade the session and load this item in to the session, then the new application may well be working with an invalid session state that it's simply not designed to handle gracefully.
[Message sent by forum member 'whartung' (whartung)]
http://forums.java.net/jive/thread.jspa?messageID=266058