Spring Security SessionFixationProtectionEvent is not published in Spring WebFlux

Describe the bug with the default configuration, spring security invalidates the existing session when the user authenticates and creates a new one. it is sensible to prevent session fixation attack.

SessionFixationProtectionEvent is not working when I use it in ApplicationListener implementation.

To Reproduce

@Component
public class TestListener implements ApplicationListener<SessionFixationProtectionEvent> {
    @Override
    public void onApplicationEvent(SessionFixationProtectionEvent sessionFixationProtectionEvent) {
        System.out.println("session fixation event");
        System.out.println(sessionFixationProtectionEvent.getOldSessionId());
        System.out.println(sessionFixationProtectionEvent.getNewSessionId());
    }
}

Expected behavior there is no stdout logs in console.

Sample just create secure webflux project. for example, /hello api.

/hello (session-id=x) /login (redirected to login,session-id=x)

after successfull authentication, session-id is set to y.

/hello (session-id=y)

Comment From: jzheaux

This appears related to https://github.com/spring-projects/spring-security/issues/4961

Comment From: rwinch

This does appear to be a duplicate. I'm closing in favor of gh-4961. @dgempiuc please reopen if you disagree