Most developers use the in-process session state management (InProc) during the build of any website – including Sitecore builds. Sitecore is configured to use InProc session state by default as it’s required to run the Sitecore client on Content Management (CM) servers, this doesn’t apply to the Content Delivery (CD) servers.
So, if the production environment is a single server setup – i.e. one server per environment that provides both the CM and CD roles – developers can get away with storing non-serializable objects in the session – such as Sitecore Items. The website will work without any problems as the In-Proc setup doesn’t do any serialisation.
If the live environment is architected to scale out, i.e load balanced CD servers with load balancer, you can configure your load balancer to use sticky session. In this case, InProc sessions will suffice. The CD servers won’t need to use out-of-process session management such as StateServer and SqlServer. This is by far the quickest solution for the problem. The only drawback is that some load balancing services won’t be able to provide the same sticky session for both http and https requests. So, if a user is redirected to a secure session, there is no guarantee that the load balancer will keep the user on the same server.
If you cannot use sticky sessions on your CD servers, you will have to configure your application to use out-of-process session state management. Once this is done, every object that your application stores in session, will get serialised before being sent to the state server (e.g. SqlServer). Failing to store serialisable objects in the session will always result in throwing serialisation exceptions.
Maybe you have been lucky enough to work in a project before when none of the Dev, Testing or UAT environment were matching the the Live environment in terms of the architecture, especially when it comes to multiple CD servers and load balancing. Unfortunately, this always happens to reduce the cost of the hosting, maintenance, etc. In such setups, it’s more likely to see errors happening only on the Live environment and the serialisation exceptions are one of these problems.
The problem can be solved easily be just marking all your custom classes using the Serializable attribute. However, what happens if your class contains a property of a non-serilaizble type that’s not yours, e.g. Sitecore Item! Well, straight away you may think that you are screwed and probably you need to change the logic of your application to avoid storing such types in session. In some cases, these changes won’t be trivial, and will require code updates affecting several modules, this will also require running functional and regression testing and perhaps bug fixing that may affect the deadline of the project.
Well, the following workaround may help avoiding a crisis.