I certainly do not condone holding a lot of state information in Web apps. However, the problem is even worse if you ever try to switch from in-proc Session state to out-of-process if you store objects in Session. In-proc gives you a live pointer (reference) to objects you store in Session, but out-of-process serializes all of the data. Actually it serializes everything per request as well as deserializes. I've adopted the practice of disabling Session for ASPX pages by default. You can also choose to allow read-only access to Session state to minimize the performance hit. By doing this, I've been able to use SQL Server Session state management and I don't notice a significant performance hit versus in-proc (the docs say it is ~50%).
Either way, here are some links worth reading regarding session and memory leaks...
http://blogs.msdn.com/tess/archive/2006/02/02/523553.aspx
http://west-wind.com/weblog/posts/1214.aspx
