Use the @lock_session() decorator to acquire an exclusive lock on a CherryPy session for the duration of the current request. (See: CherryPy v3.2.0 documentation, Reference Manual.) This protects against deadlocks and race conditions between methods concurrently making changes to session data.
Splunk implements custom session lock behaviour by default, where CherryPy acquires a shared lock instead of an exclusive lock. A local shared lock protects against race conditions between threads and a file level lock protects against races between processes.
@expose_page(must_login=False, methods=['GET','POST'], verify_session=False)@lock_session @set_cache_level('never') def login(self, username=None, password=None, return_to=None, cval=None, **kwargs): ... elided ...