HttpSession is accessible only to the threads that are servicing requests belonging to
that session. We may think that there can be only one request from the user at a time and,
therefore, the session scope would be thread safe; however, that’s not the case. A user can
open multiple browser windows and send requests through multiple windows. In such
instances, all the requests belong to the same session and all the threads processing these
requests will be able to access the session attributes simultaneously.