From de0e0c8aa69a584f8fe823ee1f4237ec16cd7b07 Mon Sep 17 00:00:00 2001
From: Mohammad Saeed Nouri <msnsaeed71@gmail.com>
Date: Sun, 8 Jun 2025 15:44:06 +0330
Subject: [PATCH 1/2] Fix: Allow session update when session ID already exists
 even if max sessions limit is reached

Signed-off-by: Mohammad Saeed Nouri <msnsaeed71@gmail.com>
---
 .../web/server/session/InMemoryWebSessionStore.java             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java b/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java
index 449eb6651f2f..707d6f5e80ec 100644
--- a/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java
+++ b/spring-web/src/main/java/org/springframework/web/server/session/InMemoryWebSessionStore.java
@@ -281,7 +281,7 @@ public Mono<Void> save() {
 		private void checkMaxSessionsLimit() {
 			if (sessions.size() >= maxSessions) {
 				expiredSessionChecker.removeExpiredSessions(clock.instant());
-				if (sessions.size() >= maxSessions) {
+				if (sessions.size() >= maxSessions && !sessions.containsKey(this.getId())) {
 					throw new IllegalStateException("Max sessions limit reached: " + sessions.size());
 				}
 			}

From 25e664271b1bb6fbef31b722819531e3cc8440cc Mon Sep 17 00:00:00 2001
From: Mohammad Saeed Nouri <msnsaeed71@gmail.com>
Date: Mon, 9 Jun 2025 20:12:16 +0330
Subject: [PATCH 2/2] Test case for Allow session update for existing session
 ID even if max sessions limit is reached

Signed-off-by: Mohammad Saeed Nouri <msnsaeed71@gmail.com>
---
 .../session/InMemoryWebSessionStoreTests.java | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java b/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java
index 0bf488eda75a..ee59f14abe9d 100644
--- a/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java
+++ b/spring-web/src/test/java/org/springframework/web/server/session/InMemoryWebSessionStoreTests.java
@@ -30,6 +30,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
+import reactor.test.StepVerifier;
 
 /**
  * Tests for {@link InMemoryWebSessionStore}.
@@ -159,6 +160,25 @@ void maxSessions() {
 			.withMessage("Max sessions limit reached: 10000");
 	}
 
+	@Test
+	void updateSession() {
+		WebSession oneWebSession = insertSession();
+
+		StepVerifier.create(oneWebSession.save())
+				.expectComplete()
+				.verify();
+	}
+
+	@Test
+	void updateSession_whenMaxSessionsReached() {
+		WebSession onceWebSession = insertSession();
+		IntStream.range(1, 10000).forEach(i -> insertSession());
+
+		StepVerifier.create(onceWebSession.save())
+				.expectComplete()
+				.verify();
+	}
+
 	private WebSession insertSession() {
 		WebSession session = this.store.createWebSession().block();
 		assertThat(session).isNotNull();