A prior fix was added under ELY-1945 to change the session ID after authentication, in some cases users would prefer their deployments to not change the ID especially if their identity is being maintained using SSO.

This issue is to add a new configuration property:

"org.wildfly.security.http.unsafe.disable-session-change-id"

This will disable the change of session ID, additionally we will log a warning to say the protection offered by ELY-1945 has been switched off.

ELY-1945 was only an issue where the session ID was encoded in the URL, if instead session management is restricted to using cookies only the session fixation problem should also be prevented.