From cd44efaf687ce9a13e28e5569ee9c4fd4ee134f6 Mon Sep 17 00:00:00 2001 From: Mohammad Saeed Nouri Date: Sun, 8 Jun 2025 15:44:06 +0330 Subject: [PATCH] Allow update of existing WebSession after max sessions limit is reached Previously, when saving a WebSession, the system did not check whether the session ID already existed. As a result, even if the session being saved was an update to an existing one, it was incorrectly treated as a new session, and a "maximum sessions exceeded" error was triggered. This fix ensures that if a WebSession with the same ID already exists, it will be updated rather than counted as a new session, thereby preventing unnecessary session limit violations. See gh-35013 Closes gh-35018 Signed-off-by: Mohammad Saeed Nouri (cherry picked from commit c04902fefbe54e89d423addbf8d724870cf09213) --- .../session/InMemoryWebSessionStore.java | 2 +- .../session/InMemoryWebSessionStoreTests.java | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java b/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java index 6e76d76e9c..e76b133363 100644 --- a/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java +++ b/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java @@ -280,7 +280,7 @@ public class InMemoryWebSessionStore implements WebSessionStore { private void checkMaxSessionsLimit() { if (sessions.size() >= maxSessions) { expiredSessionChecker.removeExpiredSessions(clock.instant()); - if (sessions.size() >= maxSessions) { + if (sessions.size() >= maxSessions && !sessions.containsKey(this.getId())) { throw new IllegalStateException("Max sessions limit reached: " + sessions.size()); } } diff --git a/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java b/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java index 7847cc3537..baeac73d00 100644 --- a/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java +++ b/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java @@ -23,6 +23,7 @@ import java.util.stream.IntStream; import org.junit.jupiter.api.Test; import reactor.core.scheduler.Schedulers; +import reactor.test.StepVerifier; import org.springframework.beans.DirectFieldAccessor; import org.springframework.web.server.WebSession; @@ -157,6 +158,25 @@ class InMemoryWebSessionStoreTests { .withMessage("Max sessions limit reached: 10"); } + @Test + void updateSession() { + WebSession oneWebSession = insertSession(); + + StepVerifier.create(oneWebSession.save()) + .expectComplete() + .verify(); + } + + @Test + void updateSession_whenMaxSessionsReached() { + WebSession onceWebSession = insertSession(); + IntStream.range(1, 10000).forEach(i -> insertSession()); + + StepVerifier.create(onceWebSession.save()) + .expectComplete() + .verify(); + } + private WebSession insertSession() { WebSession session = this.store.createWebSession().block();