Accessing Session properties via getProperties() causes a defensive copy, as that method is meant for public API. Internal read operations should bypass this getter.