An anonymous user session with principal=null is created in Mongo when I enter my app. The user authenticates with Spring Security SAML2. Session fixation protection kicks in and changes the session ID on HttpSession but on Mongo it does not change the ID, it creates a whole new session with principal=user.
Is it a bug or intended behavior that there are now 2 session records for that user, one with principal=null and another with principal=user?
How can I delete that anonymous session or change the session ID so there is only 1 session after auth?
An anonymous user session with principal=null is created in Mongo when I enter my app. The user authenticates with Spring Security SAML2. Session fixation protection kicks in and changes the session ID on HttpSession but on Mongo it does not change the ID, it creates a whole new session with principal=user.
Is it a bug or intended behavior that there are now 2 session records for that user, one with principal=null and another with principal=user? How can I delete that anonymous session or change the session ID so there is only 1 session after auth?
Dependencies: