Following session ID generation, we currently validate that the session ID is not already in use, in which case, we generate a new ID. This is not only racey, but requires a call to Cache.containsKey(...). This is potentially a costly call, since we need to search both memory and the cache store - particularly costly when using a remote cache store. We eventually add the new session via Cache.putIfAbsent(...), which already atomically ensures no session with that ID already exists.
Additionally, when creating the dependent cache entries for a session (i.e. access meta data, session attributes), we don't need putIfAbsent semantics - a AdvancedCache.withFlags(Flags.IGNORE_RETURN_VALUES).put(...) will suffice.