This isn't a Threading issue, it is more of a web application design issue. Since the requests for each 'user' will happen over multiple different threads coming from the same
thread pool there is no synchronization scheme which will allow separate data (you can't use ThreadLocal for example, and it isn't about publishing or modifying data atomically, it is about data isolation).
The only real way to get this to work is to make sure the two 'users' don't share the same session, and the only way I can think of doing that are:
1) Don't allow multiple tabs to work with different users. If a request for login comes in from a client which already has a session then block the login and use the currently logged in user.
2) Don't allow multiple tabs to work with different users (2). If a request for login comes in from a client which already has a session then discard the old session and start a new one with the new user name.
3) Don't use cookies to track session, use URL encoding. Then each new login could have a different session id, and the session would not be shared.
4) Use 'sessions' within sessions. Each HttpSession has a Map<
String, Object> which you store that represents the current tab's 'sub-session' and is stored in the Session with semi-unique id (only has to be unique within the Session). All your data goes in one of these. Every URL has some encoding which adds the id to the URL as a parameter. Instead of using (pseudo code):
You would have to use (pseudo code):
Similar changes would be made to EL access in JSPs (pseudo code):
Depending on the application, I like #1 or #3, have never used #4 but it seems like a reasonable approach depending on how much application change that takes.