The code is included at the bottom. There is only a single instance of client. I had theorized that because getAndTouch had to update the TTL, it may have failed to lock the record, perhaps, and hence, return null, but that does not seem to be the case as per your explanation.
I'd say 99% of the time the test cases would work fine, but from time to time, the test cases would fail because the session object cannot be found. The oid, a java String, does make use of characters such as "." and "_", a-z, A-Z, 0-9.
String json = null;
if(ttl > 0)
net.spy.memcached.CASValue casv = client.getAndTouch(oid, ttl);
if(casv != null)
json = (String)casv.getValue();
json = (String)client.get(oid);
if(json == null)