When concurrent requests are made from the browser to the server, all of them load the session to get the information about the current user, and one of the requests stores some data in the session. Due to racing, there is a chance that a response that reads from the session will overwrite the session value set by a response that writes to the session.
These changes are not going to solve the issue of the overwritten session but are going to make them less frequent. Also will reduce actions done in runtime like cookie encrypting and signing.
When concurrent requests are made from the browser to the server, all of them load the session to get the information about the current user, and one of the requests stores some data in the session. Due to racing, there is a chance that a response that reads from the session will overwrite the session value set by a response that writes to the session.
These changes are not going to solve the issue of the overwritten session but are going to make them less frequent. Also will reduce actions done in runtime like cookie encrypting and signing.
The issue was reported:
Related to: