why Session attributes are officially not thread safe in Servlet?

I am reading some servlet text regarding scope of attributes in Java servlet. In the text, the author wrote: "Session attributes are officially not thread safe."

This confused me because I thought that one user only has a spe开发者_如何学Ccific session, no one can access of the others. If so, session attributes are thread safe. Or am I misunderstanding something??

---

This confused me because I thought that one user only has a specific session, no one can access of the others. If so, session attributes are thread safe.

Well, if that was the case, session attributes need not be thread-safe. That is different from saying they are thread-safe.

The lack of thread safety might be a problem if you have more than one thread handling the same user's session at the same time. Maybe some parallel executions that you spawned from the main request worker thread. Or the same user accessing the server more than once (such as loading five frames at the same time).

---

Session attribute is not thread safe.

From this document (Java theory and practice: Are all stateful Web applications broken?)

When a Web application stores mutable session data such as a shopping cart in an HttpSession, it becomes possible that two requests may try to access the shopping cart at the same time. Several failure modes are possible, including:
1. An atomicity failure, where one thread is updating multiple data items and another thread reads the data while they are in an inconsistent state
2. A visibility failure between a reading thread and a writing thread, where one thread modifies the cart but the other sees a stale or inconsistent state for the cart's contents

Have a look at thread from coderanch;

1. How HttpSession is not thread safe
2. Are Session thread safe.