Concurrent requests using MapSessionRepository leads to attributes being removed

[twadzins]

Describe the bug We noticed in our app using MapSessionRepository that when the app is hit by more than one concurrent request from the same session (with a unique attribute name added to the session on the the first to finish request), the other request that finish later will revert to the state (during the commit) before the other request set the attribute, removing the newly set attribute.

To Reproduce As seen in the sample fork, if you open two tabs to the sample app page, and set an attr "test a" on tab 1 and "test b" on tab 2, then hit "set attribute" on each tab within the same few moments, then you will see in the attr list in the page (after refreshing each page), that only one of the attributes will be set.

Expected behavior I expected that the attribute being set would be preserved regardless of the concurrent access. From what I've read in some posts here, it seems like MapSessionRepository isn't considered "production-worthy" and perhaps this is a known issue already?

Sample Here's a fork with a reproducible case. I modified the spring-session-sample-xml-jdbc sample to use MapSessionRepository and added a sleep inside the servlet to increase the likelihood of concurrent access. https://github.com/twadzins/spring-session The commit: https://github.com/twadzins/spring-session/commit/3344c906e6b071b829dee3a192dd0c70504cace7

[vpavic]

seems like MapSessionRepository isn't considered "production-worthy" and perhaps this is a known issue already

This exactly is the case and I think this could be documented more clearly (both at the javadoc level and in the reference manual) to avoid any confusion.

What you're seeing here is the so called lost update problem - other session repositories deal with this by tracking a delta of changes made to the session so that in scenarios with concurrent requests each request ends up writing only the changes it made without overwriting the entire session in the data store.