Allow disabling serialization of VaadinSession and disable it by default

Description of the feature

When you are using authentication in your application, the authentication information is by default stored in the HTTP session. If you use Spring dev tools during development then one every Java change, the server will be restarted. When this happens, the session is serialized and then deserialized again. If the whole application is serializable, the session will be retained and you will stay logged in. However, in most cases the Flow application is not serializable as you can very easily create code that causes serialization of the component tree to fail. When serialization of the Flow application fails, the authentication info will not be serialized either but instead the whole session will be thrown away.

Actual behavior

The development workflow is

1. Start app
2. Login and navigate to the view you want to modify
3. Make code changes
4. Auto reload kicks in
5. Login and navigate to the view
6. Check if you did the correct changes

Expected behavior

The workflow should be

1. Start app
2. Login and navigate to the view you want to modify
3. Make code changes
4. Auto reload kicks in
5. Check if you did the correct changes

Suggested solution

Add a parameter called serializeVaadinSession with a default value of false.

When serializeVaadinSession is false, the VaadinSession and related locks that are stored in the HTTP session are not serialized when the session is serialized. Everything else in the HTTP session is serialized.

When serializeVaadinSession is explicitly set to true in the project, use the current behavior.