[#2713] [3.0] bugfix: Improve thread-safety of Shiro-native sessions by using Atomic* classes

[lprimak]

While auditing Shiro-native sessions for correctness, I noticed that there is indeed a possibility of race conditions there.
This PR fixes this by using Atomic* for shared mutable values, and ConcurrentHashMap for session attributes.

There is some code cleanup, such as adding @Override annotations as I went along this path

fixes #2713

Following this checklist to help us incorporate your contribution quickly and easily:

• Make sure there is a GitHub issue filed
  for the change (usually before you start working on it). Trivial changes like typos do not
  require a GitHub issue. Your pull request should address just this issue, without pulling in other changes.
• Format the pull request title like [#XXX] - Fixes bug in SessionManager,
  where you replace #XXX with the appropriate GitHub issue. Best practice
  is to use the GitHub issue title in the pull request title and in the first line of the commit message.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• add fixes #XXX if merging the PR should close a related issue.
• Run mvn verify to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
• Committers: Make sure a milestone is set on the PR
• Committers: Use "Squash and Merge" to combine all commits into one when merging a PR when appropriate.

Trivial changes like typos do not require a GitHub issue (javadoc, comments...).
In this case, just format the pull request title like [DOC] - Add javadoc in SessionManager.

If this is your first contribution, you have to read the Contribution Guidelines

If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.

To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004
• In any other case, please file an Apache Individual Contributor License Agreement.

[Copilot]

Pull request overview

This PR aims to address issue #2713 by making SimpleSession state updates (timestamps, timeout, expired flag, and attributes) more concurrency-safe, improving cross-thread visibility of session mutations that can affect timeout/expiration behavior.

Changes:

• Replace stopTimestamp, lastAccessTime, timeout, and expired with AtomicReference/AtomicLong/AtomicBoolean wrappers.
• Use ConcurrentHashMap for session attributes and update lazy initialization accordingly.
• Update custom Java serialization logic (writeObject/readObject) to read/write the underlying values.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

core/src/main/java/org/apache/shiro/session/mgt/SimpleSession.java:525

• In readObject, attributes are deserialized directly into the session. Older serialized sessions may contain a non-concurrent Map (e.g., HashMap), which defeats the new thread-safety expectations for attributes and can reintroduce concurrency issues. Consider wrapping the deserialized map in a ConcurrentHashMap (or reusing setAttributes) after reading it from the stream.

        if (isFieldPresent(bitMask, HOST_BIT_MASK)) {
            this.host = in.readUTF();
        }
        if (isFieldPresent(bitMask, ATTRIBUTES_BIT_MASK)) {
            this.attributes = (Map<Object, Object>) in.readObject();
        }

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

[steinarb]

It would be nice if this class had a test

[lprimak]

Thanks Steinar! I am actually looking if there is a better way to do this (there probably is) so stay tuned. I may even close PR, or start over :)

[lprimak]

I've decided to continue with current approach, Steinar,
Which test do you think is missing? Will be glad to add.
We have org/apache/shiro/session/mgt/SimpleSessionTest.java,
also we have org/apache/shiro/session/mgt/AbstractValidatingSessionManagerTest.java

It would be nice if this class had a test

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

[steinarb]

>>>> Lenny Primak ***@***.***>: lprimak left a comment (apache/shiro#2712) I've decided to continue with current approach, Steinar, Which test do you think is missing? Will be glad to add. We have `org/apache/shiro/session/mgt/SimpleSessionTest.java`, also we have `org/apache/shiro/session/mgt/AbstractValidatingSessionManagerTest.java`

Ah, sorry. For some reason I thought this was a new class. Mental short circuit. If SimpleSessiontest covers everything then of course no new tests are needed.

[lprimak]

I doubt everything is covered, but yes thank you :)

[lprimak]

Guys, I would love to get this into 3.0.0 so please review.

[steinarb]

I've never used AtomicReference (had to google it), but changes LGTM! 👍