The session attributes are not thread safe. One session object is used to maintain conversational state with only one client. So what is the need of thread safety?
A client can make more than one request at a time. How client can make more than one request at a time?,client can open new browser and make request,and both requests come under same session.
So the both the requests might try to set the data and can result bad data (as in the previous question).
So the context attributes must be synchronized as context attribute.
HttpSession session=new HttpSession();
we synchronize on the HttpSession object to protect the session attributes.