Allow update of existing WebSession after max sessions limit is reached

Mohammad Saeed Nouri · sbrannen · commit cd44efaf687c · 2025-06-10T12:38:58.000+02:00
Previously, when saving a WebSession, the system did not check whether the session ID already existed. As a result, even if the session being saved was an update to an existing one, it was incorrectly treated as a new session, and a "maximum sessions exceeded" error was triggered. This fix ensures that if a WebSession with the same ID already exists, it will be updated rather than counted as a new session, thereby preventing unnecessary session limit violations. See gh-35013 Closes gh-35018 Signed-off-by: Mohammad Saeed Nouri <msnsaeed71@gmail.com> (cherry picked from commit c04902f)
diff --git a/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java b/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java
@@ -280,7 +280,7 @@ public Mono<Void> save() {
 		private void checkMaxSessionsLimit() {
 			if (sessions.size() >= maxSessions) {
 				expiredSessionChecker.removeExpiredSessions(clock.instant());
-				if (sessions.size() >= maxSessions) {
+				if (sessions.size() >= maxSessions && !sessions.containsKey(this.getId())) {
 					throw new IllegalStateException("Max sessions limit reached: " + sessions.size());
 				}
 			}
diff --git a/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java b/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java
@@ -23,6 +23,7 @@
 
 import org.junit.jupiter.api.Test;
 import reactor.core.scheduler.Schedulers;
+import reactor.test.StepVerifier;
 
 import org.springframework.beans.DirectFieldAccessor;
 import org.springframework.web.server.WebSession;
@@ -157,6 +158,25 @@ void maxSessions() {
 				.withMessage("Max sessions limit reached: 10");
 	}
 
+	@Test
+	void updateSession() {
+		WebSession oneWebSession = insertSession();
+
+		StepVerifier.create(oneWebSession.save())
+				.expectComplete()
+				.verify();
+	}
+
+	@Test
+	void updateSession_whenMaxSessionsReached() {
+		WebSession onceWebSession = insertSession();
+		IntStream.range(1, 10000).forEach(i -> insertSession());
+
+		StepVerifier.create(onceWebSession.save())
+				.expectComplete()
+				.verify();
+	}
+
 
 	private WebSession insertSession() {
 		WebSession session = this.store.createWebSession().block();

Original file line number	Diff line number	Diff line change
`@@ -280,7 +280,7 @@ public Mono<Void> save() {`
`280`	`280`	`private void checkMaxSessionsLimit() {`
`281`	`281`	`if (sessions.size() >= maxSessions) {`
`282`	`282`	`expiredSessionChecker.removeExpiredSessions(clock.instant());`
`283`		`- if (sessions.size() >= maxSessions) {`
	`283`	`+ if (sessions.size() >= maxSessions && !sessions.containsKey(this.getId())) {`
`284`	`284`	`throw new IllegalStateException("Max sessions limit reached: " + sessions.size());`
`285`	`285`	`}`
`286`	`286`	`}`