Spring Security's API Documentation for SessionCreationPolicy
says the following for the IF_REQUIRED
property, which I believe is the default:
Spring Security will only create an
HttpSession
if required
And that's all it has to say about that. But what does that mean? When does Spring determine that a new session "is required"?