The following spec-compliant code will throw an ISE if the session returned via a SessionManager implement Session.detach() in a meaningful way:

HttpSession session = request.getSession();
HttpSession.Accessor accessor = session.getAccessor();
String newId = request.changeSessionId();
assert session.getId().equals(newId); // Succeeds
accessor.access(s -> assert s.getId().equals(newId)); // Fails!!!

WildFly's distributed session manager implements Session.detach() by returing a Session facade that lazily looks up the session from the manager. However, if the session identifier is modifed after the Accessor is created, the session identifier referenced by the Accessor is no longer valid, and invocations on the accessed session will throw an IllegalStateException.

Rather than detach() returning a Session implementation/facade specifying a specific identifier, we only need it to supply a session identifer. The session identifier should then be resolved lazily within Accessor.access(...).