Allow update of existing WebSession after max sessions limit is reached

Previously, when saving a WebSession, the system did not check whether the session ID already existed. As a result, even if the session being saved was an update to an existing one, it was incorrectly treated as a new session, and a "maximum sessions exceeded" error was triggered. This fix ensures that if a WebSession with the same ID already exists, it will be updated rather than counted as a new session, thereby preventing unnecessary session limit violations. See gh-35013 Closes gh-35018 Signed-off-by: Mohammad Saeed Nouri <msnsaeed71@gmail.com> (cherry picked from commit c04902fefb)
6 months ago · cd44efaf68
2 changed files with 21 additions and 1 deletions
--- a/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java
+++ b/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java
@ -280,7 +280,7 @@ public class InMemoryWebSessionStore implements WebSessionStore {
				@@ -280,7 +280,7 @@ public class InMemoryWebSessionStore implements WebSessionStore {
 		private void checkMaxSessionsLimit() {
 			if (sessions.size() >= maxSessions) {
 				expiredSessionChecker.removeExpiredSessions(clock.instant());
-				if (sessions.size() >= maxSessions) {
+				if (sessions.size() >= maxSessions && !sessions.containsKey(this.getId())) {
 					throw new IllegalStateException("Max sessions limit reached: " + sessions.size());
 				}
 			}
--- a/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java
+++ b/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java
@ -23,6 +23,7 @@ import java.util.stream.IntStream;
				@@ -23,6 +23,7 @@ import java.util.stream.IntStream;

 import org.junit.jupiter.api.Test;
 import reactor.core.scheduler.Schedulers;
+import reactor.test.StepVerifier;

 import org.springframework.beans.DirectFieldAccessor;
 import org.springframework.web.server.WebSession;
@ -157,6 +158,25 @@ class InMemoryWebSessionStoreTests {
				@@ -157,6 +158,25 @@ class InMemoryWebSessionStoreTests {
 				.withMessage("Max sessions limit reached: 10");
 	}

+	@Test
+	void updateSession() {
+		WebSession oneWebSession = insertSession();
+
+		StepVerifier.create(oneWebSession.save())
+				.expectComplete()
+				.verify();
+	}
+
+	@Test
+	void updateSession_whenMaxSessionsReached() {
+		WebSession onceWebSession = insertSession();
+		IntStream.range(1, 10000).forEach(i -> insertSession());
+
+		StepVerifier.create(onceWebSession.save())
+				.expectComplete()
+				.verify();
+	}
+

 	private WebSession insertSession() {
 		WebSession session = this.store.createWebSession().block();