Session IDs are not part of the OpenID Connect specification for example.

Currently, sessions are not connected to the SecurityIdentity that results after authentication.

We could consider the following potential enhancements related to sessions as requested by some users:

• Add the ability to specify whether or not the session ID should be changed upon authentication
• Add the ability to specify that an authenticated user should become the owner of a session if the session is used for the first time by that user
• Add the ability to specify whether or not unauthenticated access to an authenticated session is forbidden

Note that these enhancements can also be considered for other "stateless" mechanisms like BASIC, etc.