If I could leave the 'session' object up and running on a web box
servicing a huge number of requests I would be able to scale the
solution (as all the caches are full of juicy data servicing millions of
requests). The bit I don't understand is how, many users can utilize the
same session without causing authorisation problems.
I'm not sure whether I understand you correctly: are you talking about web users or JCR users? Every JCR session is tied to exactly one JCR user (the one passed to the Repository.login method). Of course, different users potentially have different authorisation settings and therefore letting one user access the caches of another violates authorisation. Just keep in mind that all caches I explained are purely session-specific and hence represent the selected workspace's view of that user's session.
Regards Dominique
