I am newbie in web programming, I known HTTP protocol is stateless, and I know we can use session attribute to store the state of user, but I read "Head first Servlets & JSP" and it mentioned that even session attribute is not thread safe because the same user can open more than one browser, so if session attribute is not thread safe, then how should we keep the state of user?
Using the session object is the best way to keep the state of the user.
Yes the session object is not thread safe. In many cases it does not matter that the session object is not thread safe.
In case the session object is holding critical data like say a shopping cart where thread safety is important you need to make sure that all your code that access the session object is synchronized!
The session object not being thread safe is only a warning for you to make sure that you write code in a manner that makes the session object thread safe to access. Any alternate means to track session will also face the same issue!