SRV.7.7 Important Session Semantics

SRV.7.7.1 Threading Issues

Multiple servlets executing request threads may have active access to a single session object at the same time. The developer has the responsibility to synchronize access to resources stored in the session as appropriate.

SRV.7.7.2 Distributed Environments

Within an application that is marked as distributable, all requests that are part of a session can be handled on only a single VM at any one time. In addition, all objects placed into instances of the HttpSession class using the setAttribute or putValue methods must implement the Serializable interface. The servlet container may throw an IllegalArgumentException if a non-serializable object is placed into the session.

These restrictions mean that the developer is ensured that there are no additional concurrency issues beyond those encountered in a non-distributed container. In addition, the container provider can ensure scalability by having the ability to move a session object, and its contents, from any active node of the distributed system to a different node of the system.

SRV.7.7.3 Client Semantics

Due to the fact that cookies or SSL certificates are typically controlled by the web browser process and are not associated with any particular window of the browser, requests from all windows of a client application to a servlet container might be part of the same session. For maximum portability, the developer should always assume that all windows of a client are participating in the same session.