During the lifecycle of an HTTP request, the HttpSession is typically persisted to SessionRepository twice. The first persist operation is to ensure that the session is available to the client as soon as the client has access to the session ID, and it is also necessary to write after the session is committed because further modifications to the session might be made. Having this in mind, we generally recommend that a SessionRepository implementation keep track of changes to ensure that only deltas are saved. This is particularly important in highly concurrent environments, where multiple requests operate on the same HttpSession and, therefore, cause race conditions, with requests overriding each other's changes to session attributes. All of the SessionRepository implementations provided by Spring Session use the described approach to persist session changes and can be used for guidance when you implement custom SessionRepository.
Our AbstractInfinispanSessionRepository saves the entire set of attributes of attributes, even if the only thing being updated is the last access timestamp (see updateTTL(). We could use functional commands (directly when the cache is embedded, via server-side tasks when the cache is remote) to replicate only the subset of created/modified/removed attributes. We should also investigate using our native max-idle support for TTL.