bug: breaking change in commit da6f722

[itamarm-spike]

Description

After commit da6f722, our application started returning Invalid session ID (400) errors. This happens because InsecureStatefulSessionIdManager is now the default, and it stores session IDs locally. This breaks deployments running multiple instances without sticky IP sessions.

While WithStateLess does solve it, it may be more appropriate for NewDefaultSessionIdManagerResolver to default to StatelessSessionIdManager, which aligns with previous behavior and covers the majority of cases without introducing surprises at production. At minimum, the change should be documented so users deploying multiple instances/pods are aware of the impact.

Possible Solution

Set StatelessSessionIdManager as the default session manager to preserve the expected stateless behavior.