On 9/6/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote: > > > > After we agreed that this is a bug, I have to disappoint you again, and > tell > you, that this is NOT a bug. > According to the servlet spec, the webapp has to control access to the > session, not the container. To quote the jdk1.4 tutorial: > (http://java.sun.com/j2ee/1.4/docs/tutorial/doc/index.html, chapter 11)
Forwarded a note to the servlet spec lead ... the underlying spec language ( SRV.7.7.1) was originally intended to remind application users that they must make their *own* objects threadsafe if they are stored as a session attribute. To use that language as an excuse for the *container* not having to make its own collections threadsafe means that the language is broken. Craig