SpringBoot Bug in documentation of SessionManagementConfigurer.sessionAuthenticationStrategy

Hi, I have currently migrated my application from Spring Boot 2.7.10 to 3.0.5. My application tests failed because of missing AuthenticationStrategy. After invocing the following line in my SecurityFilterChain the tests were fixed.

http.sessionManagement().sessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());

The documentation sais that ChangeSessionIdAuthenticationStrategy is already the default:

 /**
* Allows explicitly specifying the {@link SessionAuthenticationStrategy}. The default
* is to use {@link ChangeSessionIdAuthenticationStrategy}. If restricting the maximum
...
*/
public SessionManagementConfigurer<H> sessionAuthenticationStrategy(

Maybe this is a bug in the documentation. I'm not quite sure.

Comment From: srcimon

Actually it does't matter which SessionAuthenticationStrategy I set. Any invocation of this method fixes my tests which tests if another user can overtake an existing session

Comment From: wilkinsona

The code in question is part of Spring Security which is managed as a separate project. You may want to report this to them.

Comment From: srcimon

Thank you @wilkinsona . Created issue on spring security: https://github.com/spring-projects/spring-security/issues/12994