Session versioning support

[lprimak]

Following this checklist to help us incorporate your contribution quickly and easily:

• Make sure there is a GitHub issue filed
  for the change (usually before you start working on it). Trivial changes like typos do not
  require a GitHub issue. Your pull request should address just this issue, without pulling in other changes.
• Format the pull request title like [#XXX] - Fixes bug in SessionManager,
  where you replace #XXX with the appropriate GitHub issue. Best practice
  is to use the GitHub issue title in the pull request title and in the first line of the commit message.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• add fixes #XXX if merging the PR should close a related issue.
• Run mvn verify to make sure basic checks pass. A more thorough check will be performed on your pull request automatically.
• Committers: Make sure a milestone is set on the PR
• Committers: Use "Squash and Merge" to combine all commits into one when merging a PR when appropriate.

Trivial changes like typos do not require a GitHub issue (javadoc, comments...).
In this case, just format the pull request title like [DOC] - Add javadoc in SessionManager.

If this is your first contribution, you have to read the Contribution Guidelines

If your pull request is about ~20 lines of code you don't need to sign an Individual Contributor License Agreement
if you are unsure please ask on the developers list.

To make clear that you license your contribution under the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

• I hereby declare this contribution to be licenced under the Apache License Version 2.0, January 2004
• In any other case, please file an Apache Individual Contributor License Agreement.

[Copilot]

Pull request overview

Adds “session versioning” plumbing across core and web modules to help prevent stale session updates (notably around caching/native sessions) by propagating a versioning flag through session creation and introducing version-aware cache writes.

Changes:

• Introduces VersionedSession and wires a “versioned” flag from SecurityManager/SessionManager → SessionContext → SimpleSession.
• Updates native session/web request flow to increment a session version (and adds incrementVersion to NativeSessionManager).
• Updates CachingSessionDAO to avoid overwriting a cached session with an older version.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
web/src/main/java/org/apache/shiro/web/subject/support/WebDelegatingSubject.java	Propagates versioning flag into WebSessionContext during session creation.
web/src/main/java/org/apache/shiro/web/session/mgt/ServletContainerSessionManager.java	Declares servlet-container sessions as non-versioned.
web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java	Adds request-end version increment hook for native sessions.
core/src/test/java/org/apache/shiro/session/mgt/AbstractValidatingSessionManagerTest.java	Updates test stub session manager for new isVersioned() API.
core/src/main/java/org/apache/shiro/subject/support/DelegatingSubject.java	Propagates versioning flag into SessionContext during session creation.
core/src/main/java/org/apache/shiro/session/mgt/VersionedSession.java	New interface defining version-aware session operations.
core/src/main/java/org/apache/shiro/session/mgt/SimpleSessionFactory.java	Creates SimpleSession using host + versioned flag from SessionContext.
core/src/main/java/org/apache/shiro/session/mgt/SimpleSession.java	Implements versioning and introduces atomic/concurrent structures + serialization changes.
core/src/main/java/org/apache/shiro/session/mgt/SessionManager.java	Adds isVersioned() API to drive version-aware session creation.
core/src/main/java/org/apache/shiro/session/mgt/SessionContext.java	Adds versioned flag getters/setters to session context.
core/src/main/java/org/apache/shiro/session/mgt/NativeSessionManager.java	Adds incrementVersion(SessionKey) API for native session managers.
core/src/main/java/org/apache/shiro/session/mgt/eis/CachingSessionDAO.java	Adds version-aware cache put logic to avoid caching stale sessions.
core/src/main/java/org/apache/shiro/session/mgt/DefaultSessionManager.java	Implements isVersioned() based on DAO type (caching DAO).
core/src/main/java/org/apache/shiro/session/mgt/DefaultSessionContext.java	Stores/retrieves the “versioned session” flag in the context map.
core/src/main/java/org/apache/shiro/session/mgt/AbstractNativeSessionManager.java	Implements incrementVersion for versioned sessions.
core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java	Propagates versioning into SessionContext and exposes isVersioned().

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lprimak]

There is no need to version Shiro-native session, since the session is not saved for the duration of the request like Payara sessions are