Hi Mike, Bob, Zico, Mohammed, et al. Long time gluu fan/implementer here. (since the 2.x days ;-) ) I remember 2 or 3 years ago there was an update to gluu (circa 4.1 or pre 4.1 iirc) where when a user authenticated a session, the actual sessionID that was authenticated was new (meaning different than the sessionID returned upon the first visit to the OP). I recall either seeing a support ticket, or release notes linked to a github issue describing the "why" in further details. I've searched for a while and cannot find the reference. I know it was a security related feature but don't recall the organizing spec/group reccomending that change. If you know the ticket/github issue I'm referring to, could you please post it here? Thanks!