Servlet 2.5 MR6
"Multiple servlets executing request threads may have active access to the same session object at the same time. The container must ensure that manipulation of internal data structures representing the session attributes is performed in a threadsafe manner. The Developer has the responsibility for threadsafe access to the attribute objects themselves. This will protect the attribute collection inside the HttpSession object from concurrent access, eliminating the opportunity for an application to cause that collection to become corrupted.
Originally posted by Alwin McDonnell:
If the session is maintained in memory (and this would be required to maintain non-Serializable objects) then this should be adequate. If attributes were serialized on setAttribute and deserialized on getAttribute (the spec doesn't prohibit it), then this would not work. Are there any known containers that behave like this?