Is behavior of getRequestedSessionId from SessionRepositoryRequestWrapper correct?

[mdenicki]

spring-session 2.0.5.RELEASE
spring-security 5.0.7.RELEASE

Method getRequestedSessionId in SessionRepositoryRequestWrapper (SessionRepositoryFilter.java) returns null if session id from request is not associated with any session from sessionRepository.

@Override
public String getRequestedSessionId() {
	S requestedSession = getRequestedSession();
	return (requestedSession != null ? requestedSession.getId() : null);
}

private S getRequestedSession() {
	if (!this.requestedSessionCached) {
		List<String> sessionIds = SessionRepositoryFilter.this.httpSessionIdResolver
				.resolveSessionIds(this);
		for (String sessionId : sessionIds) {
			S session = SessionRepositoryFilter.this.sessionRepository
					.findById(sessionId);
			if (session != null) {
				this.requestedSession = session;
				break;
			}
		}
		this.requestedSessionCached = true;
	}
	return this.requestedSession;
}

Is this correct behavior?
I'm using spring-session with spring-security and if requested session id is null, invalidSessionStrategy from SessionManagementFilter wont execute.

From SessionManagementFilter:

if (request.getRequestedSessionId() != null
		&& !request.isRequestedSessionIdValid()) {
	if (logger.isDebugEnabled()) {
		logger.debug("Requested session ID "
				+ request.getRequestedSessionId() + " is invalid.");
	}

	if (invalidSessionStrategy != null) {
		invalidSessionStrategy
				.onInvalidSessionDetected(request, response);
		return;
	}
}

Shouldn't getRequestedSessionId just return session id from request without any validation? That was behavior in 1.3.3.RELEASE version.

[vpavic]

We have addressed this in 2.1.1.RELEASE and 2.0.8.RELEASE. See #1229 for more details.

[vpavic]

Duplicate of #1229