How far will Attributes that are shared in a session object without synchronizing on the session object affect a multi-user web-site.

Using session objects without synchronization is technically not thread safe, as we all know... Well written code will synchronize on the HttpSession when working with session objects. However, not doing this will really only cause problems when the same client opens up two browser windows at the same time... so it doesn't matter how many people are using the site concurrently. The client may corrupt his session data by having multiple windows open