Spring Security ConcurrentSessionControlAuthenticationStrategy.allowableSessionsExceeded set the latest session to invalid, is this a bug?

Describe the bug In Spring security 5.1.11.RELEASE, the allowableSessionsExceeded

    int maximumSessionsExceededBy = sessions.size() - allowableSessions + 1;
    List<SessionInformation> sessionsToBeExpired = sessions.subList(0, maximumSessionsExceededBy);

this code will set the newest session to expired, the response will be the expired session.

Could someOne Pls tell me is this a bug? or how to fix it. Since I can not control allowableSessions, Thanks a lot

Comment From: eleftherias

Thanks for reaching out @XueQian.

Please note that the 5.1.x branch has reached its End of Live, meaning that there are no further maintenance releases or security patches planned. We advise you to migrate to a supported branch as soon as possible. However, we can continue looking into this issue, since it may also affect other branches.

The default behaviour is to expire any sessions that exceed the maximum number of permitted sessions, starting with the least recently used sessions.

If you see the newest session (most recently used) is the first to expire, then that is a bug.

Could you please provide a sample that reproduces this issue?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.