If you have a choice, you should use request scope instead of session scope. That's because the server has to keep objects on a long-term basis, and the more objects you're keeping, the more RAM it eats up. Request scope objects exist only while a request is active, so they take a smaller "bite",
However, JSF does tend to force you to use session scope in a lot of cases where you wouldn't otherwise have to. JSF2 eases some of this by adding View scope.
Session scope objects (including non-JSF session-scope) objects need to be serializable. Some appservers will get very annoyed if you don't declare session objects as serializable. That's because if the appserver needs to free up memory by "paging" objects out or if the appserver needs to transfer the session to another VM, the data must be serialized/deserialized.
Of course, if you say something's serializable, you must mean it. Otherwise, if the data goes through serialization/deserialization, the deserialized copy of the object may be missing critical information.
Bjoke: A "Bully Joke". A Statement or action made with malicious intent - unless challenged. At which point it magically transforms into "I was just funnin'" or "What's the matter, can't take a joke?"