As mentioned by Neokoenig, you are utilizing a shared scope to store user specific data, you should store that in SESSION. If you need the data in application scope you should be using a lock while setting that data, but it looks like you should be running this in onSessionStart once and not on every request. If you need to run it on every request you may want to continue using the onRequestStart but utilize the user specific session storage and not the global application layer.
Just remember:
Application variables will show the same data for all users. So if user a sets application.foo = 1 and user b sets application.foo = 2 then user one try to access application.foo, user 1 will see user 2's value of 2. If this was using session scope you would not have this same issue. If user 1 sets SESSION.foo = 1 and user 2 sets SESSION.foo = 2. When the user accesses the SESSION.foo variable it will only contain the data set by that user (ex: user 1 will output SESSION.foo and see the value, 1)