Hi,
1) Well, no problem, because you appplication server deals with almost all the things. However, your session could migrate from one machine to another, and because of that, all the object in the session MUST implement Serializable.
2) YOU don't need to serialize the object, you shoul turn the object serialuizable. In most cases
you should only add "implements java.io.Serializable" to your class definition. The serialization, however, is done by the container. You also have some listeners that enable you to take some cares when the session is going to migrate from one machine to another (HttpSessionActivation).
3) You cannot add primitives as attributes to the session. But again, in most of the cases you only need to write "implements Serializable" in the objetc in order to let the server serialize it.
Dani