Consider moving away from Java serialization as default serialization mechanism

[vpavic]

At present, all SessionRepository implementations use Java serialization as the default serialization mechanism.

While convenient as a default, Java serialization has several well known limitations and the ecosystem appears to be getting ready to move away from it - see Towards Better Serialization document by Brian Goetz.

The next major release seems like a good opportunity to reconsider Spring Session's general approach to serialization.