The private serialization methods of org.hibernate.impl.SessionImpl must call default[Read|Write]Object() on the object input/output stream before any custom de/serialization logic.
According to the Java serialization spec:
"The class's writeObject method, if implemented, is responsible for saving the state of the class. Either ObjectOutputStream's defaultWriteObject or writeFields method must be called once (and only once) before writing any optional data that will be needed by the corresponding readObject method to restore the state of the object; even if no optional data is written, defaultWriteObject or writeFields must still be invoked once. If defaultWriteObject or writeFields is not invoked once prior to the writing of optional data (if any), then the behavior of instance deserialization is undefined in cases where the ObjectInputStream cannot resolve the class which defined the writeObject method in question."
"The readObject method of the class, if implemented, is responsible for restoring the state of the class. The values of every field of the object whether transient or not, static or not are set to the default value for the fields type. Either ObjectInputStream's defaultReadObject or readFields method must be called once (and only once) before reading any optional data written by the corresponding writeObject method; even if no optional data is read, defaultReadObject or readFields must still be invoked once."
One consequence of this spec violation is that you cannot use JBoss Marshalling to serialize a session. For details, see:
thanks for the patch, applying now. We don't use SerialVersionUID though, I'm removing that.