For deployed portlets, upon each request, PortletServlet tries to add the portlet session wrapped in a SharedSessionWrapper to PortletSessionTracker so that we can invalidate the session when the HTTP session gets invalidated. However as we wrap the portlet session into a new SharedSessionWrapper for each getSession() request and because SharedSessionWrapper doesn't have its hashCode() or equals() method implemented, the hash set in PortletSessionTracker will store this new SharedSessionWrapper for each request.
While this usually doesn't cause any out of memory problems as users' sessions time out and real load on a portal usually involves multiple sessions, there can be scenarios when many requests are sent either in a relatively short time or with a long lived session (load test, single - e.g. machine - consumer on the other end). In these cases this problem can cause out of memory errors.