The application stores a non-serializable object as an HttpSession attribute, which can hurt reliability.